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Description 

Field of the Invention 

This invention relates generally to data communi- 5 
cation systems, and more specifically to secure data 
processing on a data communication system. 

Background of the Invention 

Data Enclave 

Individuals working in a departmental computing 
environment typically have a substantial amount of com- 
puting power on their desks in the form of personal com- 
puters and workstations. A workstation has a computa- 
tional subsystem, keyboard, and display for user inter- 
action, and typically substantial amounts of local data 
storage in the form of fixed and removable media. 

In order for the individual in the departmental com- 
puting environment to interact and share data, their 
workstations are typically attached to a local area net- 
work (LAN) which permits the transfer of data files and 
electronic mail between the workstations. In addition, 
"servers" may be attached to the LAN to provide spe- 
cialized services, such as the management of central- 
ized databases, which are not practical for individual 
workstations. 

Departmental computing environments are typical- 
ly members of a larger organization or have other rea- 
sons to communicate with computing facilities outside 
themselves. They therefore make use of a special kind 
of server, called a "gateway", to gain access to a wide 
area network (WAN). WANs are often interconnected 
(called "internetting") to provide world-wide data trans- 
mission paths. 

Departmental Computing Environment 

A typical overall departmental computing environ- 
ment is shown in Figure 1 . In the departmental computer 
environment 1 , large amounts of valuable data is stored 
on magnetic or other electronic Media 2, 4 for process- 
ing in the Workstations 10 and file servers (not shown). 
This media offers the benefits of compact storage, easy 
retrieval, and in the case of removable Media 4 (e.g., 
"diskettes"), convenient sharing and distribution. 

In addition, data is transmitted freely around the Lo- 
cal Area Network 12 and occasionally through a Gate- 
way 1 4 to the Wide Area Network 1 6 and Remote Sites 
18. This transmission is necessary in order for the or- 
ganization performing departmental computing to per- 
form its internal work and interact with the outside world. 

There is also a requirement that certain operations, 
including but not limited to the transmission of data to 
the outside world, be restricted to individuals who pos- 
sess special privileges. Examples of such operations 
are messages (electronic mail) which are directive in na- 



ture, such as users to transfer funds, and operations 
such as the adding of new orders or the granting of lim- 
ited access to departmental data to users on the Wide 
Area Network 16 (remote login and file transfer). 

Threats Against Department Computing 
Environment 

The threats against the departmental computing 
environment are shown in Figure 2. 

The data in this environment is vulnerable to theft 
and tampering. Removable media can be stolen, cop- 
ied, and returned with no sign that loss has occurred. 
The fruits of thousands of hours of labor can be stolen 
in a package that fits easily in a coat pocket. Crucial data 
can be modified or destroyed, either directly or through 
the agency of technical entities such as "viruses", which 
are introduced into the Workstations 10 and servers 
through the agency of corrupted media or through the 
wide area network connection. 

There are also threats to the privileged operations. 
Unauthorized individuals, masquerading as someone 
else, can cause disruptive or erroneous directives to be 
issued and thereby perpetrate sabotage and fraud. Ma- 
licious "hackers" with access to the wide area network 
can use that network to "reach in" to the departmental 
computing environment and masquerade as authorized 
users or otherwise obtain access to data, which they can 
then transfer worldwide, again with no sign that compro- 
mise has occurred. 

Accordingly, there is a need for techniques whereby 
a departmental computing system 1 can be converted 
into a "data enclave." Within such an enclave: 

(1) Data can be restricted to a single organization, 
such as a government agency or a corporation. 

(2) Sharing of data between organizational ele- 
ments (directorates, departments, projects, etc.) 
can be controlled. For example, it may be required 
that data such as a telephone directory be accessi- 
ble by every employee, but data such as engineer- 
ing drawings should not be allowed to circulate 
throughout the whole corporation. 

(3) Sharing of data between individuals in organiza- 
tional elements can be controlled. For example, 
even though an individual is a member of the engi- 
neering department, that individual may not have a 
"need to know" for all of the drawings in the depart- 
ment. 

(4) Data is protected from technical attacks such as 
"viruses" and "worms." 

(5) Intellectual property is protected irrespective of 
whether it is on electronic media, being processed 
in a Workstation, or being transferred around the 
local area network. 

(6) The protections are achieved with minimum cost 
and disruption of operations, such as would occur 
if access to the wide area network were forbidden. 



15 



20 



25 



30 



35 



40 



45 



50 



3 

(7) Privileged operations are restricted to those us- 
ers possessing the requisite privileges and cannot 
be invoked, through masquerading or other techni- 
cal means, by unauthorized users. 

As shown in overview form in Figure 3, and as will 
be described more fully in the Detailed Description of 
the Invention, the facilities provided by the present in- 
vention convert a departmental computing environment 
into a "data enclave" 20 with a well-defined perimeter 
22. Sharing of data within the Enclave 20 is controlled, 
and movement of data within and outside the enclave 
can only be effected by authorized individuals with suit- 
able privilege. There are no "sneak paths' or "holes" that 
exist. 

The present invention also minimizes the damage 
that can be done by privileged individuals who become 
subverted. Cryptographic keys are transmitted and 
stored entirely in enciphered form, and well-known tech- 
niques (called "antitamper" technology) can be used to 
protect an enclave key when it is in use inside a crypto- 
graphic device. Theft of elements of the present inven- 
tion does not compromise any part of the operation of 
the invention. 

Individuals desiring access to Media 2,4 have to 
deal with a Secure Computer 24, in this case a security 
server, only when Media 2,4 is initialized. "Unlocking" a 
unit of Media 2,4 requires an operation no more compli- 
cated than using a television remote control Overhead 
and delay is concentrated at the time a Media 2,4 is "un- 
locked", and no delays or incompatibilities are intro- 
duced during operations using the Media 2 or 4. 

Remotely invoked privileged operations at the se- 
curity server 24 are under the positive control of the user. 
That control is cryptograph ically protected and mutually 
authenticated. 

Identification and authentication of users to the se- 
curity server 24 is both simpler and more robust than 
former implementations such as passwords. The same 
basic steps are used for security operations dealing with 
Media 2,4 and dealing with the security server 24. 

In the data protection area, the system associates 
Media 2 or 4 primarily with users and secondarily with 
machines or Workstations 10. This is a more natural 
structure than one where media is only useable on a 
single machine or Workstation 10. 

Control logic computes allowed access at the last 
possible moment using the combination of an "access 
vector" assigned to an individual and the "device at- 
tributes" assigned to a particular Workstation 10, which 
can be used to enforce a variety of security policies. For 
example, an individual's access to data may be restrict- 
ed not only on the basis of the individual's attributes but 
also to protected physical locations. Thus an individual's 
access vector may grant "read" access to a unit of media 
which contains proprietary engineering data, but the 
comparison against the device attributes making the ac- 
cess, may restrict display of the contents of the unit of 



4 

media to those machines inside a particular facility or 
office. Physical security measures can then be used to 
restrict who may be in the vicinity when the data is dis- 
played. Previous implementations in this area have per- 
mitted only an "all or nothing" approach to access. 

European Patent Specification No. EP-A-421409 
relates to data security for networks converting a host 
computer to several work stations and personal data 
carriers such as IC-cards by means of different keys or 
data elements. 

US Patent Specification US-A-5052040 also dis- 
closes a security system using different keys for com- 
munication and data processing. 

In accordance with a first aspect of the invention 
there is provided a data enclave as set out in claim 1 . 

In accordance with a second aspect of the invention 
there is provided a data enclave method as set out in 
claim 2. 

A media key is provided for each unit of media, and 
used to encrypt and protect data carried on the media, 
with the media keys stored in the personal keying de- 
vices. A media unique identifier (media UID) is provided 
for each unit of media, stored on the media, and used 
to identify the corresponding media key for the unit of 
media stored in a personal keying device, and to identify 
media attributes assigned to the unit of media Media 
attributes are associated with each unit of media to 
which a media UID has been assigned, and used to rep- 
resent the sensitivity or other security related informa- 
tion that may pertain to the data carried on that unit of 
media. 

An access vector is associated with each media key 
to form media key/access vector pairs, stored in the per- 
sonal keying devices, and used to represent the possi- 
ble conditions of access to the data encrypted on the 
media for the user assigned to the personal keying de- 
vice holding the media key/access vector pair or pairs 
with each access vector formed using the correspond- 
ing media attributes and user attributes, and a set of ac- 
cess rules. The media key/access vector pairs are 
stored in the personal keying devices enciphered with 
a combined key including the user's UID, the user's PIN 
and the enclave key. Device attributes are assigned to 
each workstation, stored in that device's crypto media 
controller, and used to represent the security attributes 
of the workstations. 

Each crypto media controller includes access con- 
trol logic for restricting access to the data on the media 
based on the user's PIN, the access vector and the de- 
vice attributes for the workstation from which access is 
attempted. 

Brief Description of the Drawings 

The operational enhancements and features of the 
present invention become more apparent from a con- 
sideration of the drawings and following detailed de- 
scription. 
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Figure 1 is a diagram illustrating a typical depart- 
mental computing environment incorporating a local ar- 
ea network with a wide area network. 

Figure 2 is a diagram illustrating possible threats 
against the departmental computing environment. s 

Figure 3 is an overall simplified block diagram of a 
secure data processing system illustrating the Data En- 
clave implementation. 

Figure 4 is a simplified block diagram of the main 
data processing elements in the apparatus implement- 
ing the present invention. 

Figure 5 is a simplified block diagram of the Work- 
station data processing elements using a Workstation 
configuration supporting coprocessor cryptography. 

Figure 6 is a simplified block diagram of the Work- 
station data processing elements using a Workstation 
configuration supporting inline cryptography. 

Figure 6a is a pictorial diagram of a personal keying 
device illustrating the appearance, features, and func- 
tions. 

Figure 6b is a schematic diagram of the data ele- 
ments created and utilized for the protection of data in 
the present invention. 

Figure 7 is a simplified block diagram illustrating the 
steps for the extraction of user data at the Workstation, 
implemented in the Media Initialization and Key Gener- 
ation phase of Data Enclave operation. 

Figure 8 is a simplified block diagram illustrating the 
step for preparation and sending of a "Request Packet", 
implemented in the Media Initialization and Key Gener- 
ation phase of Data Enclave operation. 

Figure 9 is a simplified block diagram illustrating the 
step for receipt of a "Request Packet" at the Security 
Server, implemented in the Media Initialization and Key 
Generation phase of Data Enclave operation. 

Figure 10 is a simplified block diagram illustrating 
the steps for the checking of user identity and the gen- 
eration of a Media UID, implemented in the Media Ini- 
tialization and Key Generation phase of Data Enclave 
operation. 

Figure 11 is a simplified block diagram illustrating 
the steps for Access Vector generation, implemented in 
the Media Initialization and Key Generation phase of 
Data Enclave operation. 

Figure 12 is a simplified block diagram illustrating 
the steps for "Key Packet" generation and storage, im- 
plemented in the Media Initialization and Key Genera- 
tion phase of Data Enclave operation. 

Figure 1 3 is a simplified block diagram illustrating 
the steps for Media UID and "Key Packet" assignment, 
implemented in the Media Initialization and Key Gener- 
ation phase of Data Enclave operation. 

Figure 14 is a simplified block diagram illustrating 
the steps for extracting identification data and forming 
a Request, implemented in the Key Assignment phase 
of Data Enclave operation. 

Figure 15 is a simplified block diagram illustrating 
the step for the encryption and transmission of a "Re- 



quest Packet", implemented in the Key Assignment 
phase of Data Enclave operation. 

Figure 16 is a simplified block diagram illustrating 
the steps for the computation of an Access Vector, im- 
plemented in the Key Assignment phase of Data En- 
clave operation. 

Figure 17 is a simplified block diagram illustrating 
the steps for key generation, storage, and transmission, 
implemented in the Key Assignment phase of Data En- 
clave operation. 

Figure 18 is a simplified block diagram illustrating 
the step for the transfer of the key to the personal keying 
device, implemented in the Key Assignment phase of 
Data Enclave operation. 

Figure 19 is a simplified block diagram illustrating 
the steps for Media Key and Access Vector extraction, 
implemented in the Keying of Devices phase of Data En- 
clave operation. 

Figure 20 is a simplified block diagram illustrating 
the steps for Media Key and Access Vector use, imple- 
mented in the Keying of Devices phase of Data Enclave 
operation. 

Figure 21 is a simplified block diagram illustrating 
the steps for the initialization of the authentication proc- 
ess, implemented in the Identification and Authentica- 
tion phase of Trusted Path operation. 

Figure 22 is a simplified block diagram illustrating 
the step for the authentication of identity and the estab- 
lishment of privileges, implemented in the Identification 
and Authentication phase of Trusted Path operation. 

Figure 23 is a simplified block diagram illustrating 
the step for the preparation and transmission of the "Re- 
sponse Packet", implemented in the Identification and 
Authentication phase of Trusted Path operation. 

Figure 24 is a simplified block diagram illustrating 
the step for the completion of the authentication se- 
quence, implemented in the Identification and Authen- 
tication phase of Trusted Path operation. 

Figure 25 is a simplified block diagram illustrating 
the steps for the initiation of a privileged operation, im- 
plemented in the Privileged Services phase of Trusted 
Path operation. 

Figure 26 is a simplified block diagram illustrating 
the steps for the determination of privileges, implement- 
ed in the Privileged Services phase of Trusted Path op- 
eration. 

Figure 27 is a simplified block diagram illustrating 
the step for the acknowledgment of privileges, imple- 
mented in the Privileged Services phase of Trusted Path 
operation. 

Figure 28 is a simplified block diagram illustrating 
the step for the display of the acknowledgment, imple- 
mented in the Privileged Services phase of Trusted Path 
operation. 

Figure 29 shows an alternate embodiment of the 
Data Enclave system. 

Figure 30 shows the configuration for initializing 
fixed media according to the alternate embodiment of 
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Figure 29. 

Figure 31 shows the configuration for initializing re- 
movable media according to the alternate embodiment 
of Figure 29. 

Detailed Description of the Invention 

In the following detailed description of the preferred 
embodiments, reference is made to the accompanying 
drawings which form a part hereof, and in which is 
shown by way of illustration, specific embodiments in 
which the invention may be practiced. It is to be under- 
stood that other embodiments may be utilized and struc- 
tural changes may be made without departing from the 
scope of the present invention. 

The term "logic" is used throughout the ensuing de- 
scription with reference to the structure of various elec- 
tronic components of the invention. The term is intended 
to have a broad meaning, and to encompass hardware 
implemenations, software implementations, and combi- 
nations thereof. 

Processing Elements 

The present invention consists of processing ele- 
ments and data elements. The interrelation of the 
processing elements is shown generally in Figures 3 
and 4 (in part described above) and in more detail in 
Figures 5 and 6. The descriptions given below show 
cryptographic protection provided only to those distin- 
guished transmissions required in the operation of the 
invention. In such a case, the elements of the invention 
are preferably arranged with regard to the Workstation 
10 as shown in Figure 5. 

If it is desired to protect all transmissions over the 
Local Area Network 12, e.g., to prevent wiretapping or 
other monitoring by unauthorized personnel, then the 
Crypto Media Controller 26 could be used to encipher 
and decipher all data going out over the Network 12. In 
this case, the elements of the invention could be ar- 
ranged with regard to the Workstation 10 as shown in 
Figure 6. 

Security Server 

The Security Server 24, a secure computer, is a dis- 
tinguished server that performs gateway and security 
functions at the interface between the Local Area Net- 
work 1 2 and the Wide Area Network 1 6. It also performs 
the key management and backup functions for the cryp- 
tography in the Enclave 20. The Security Server 24 can 
be implemented in the form of a secure computer for 
example, as disclosed in U.S. Patent No. 4,621,321 to 
Boebert et al, entitled "Secure Data Processing System 
Architecture", 4,713,753 to Boebert et al, entitled "Se- 
cure Data Processing System Architecture with Format 
Control", and 4,701 ,840 to Boebert et al, entitled "Se- 
cure Data Processing System Architecture". 



Personal Keying Device 

Each user 5 is issued a Personal Keying Device 30. 
Personal Keying Devices 30 are used for key insertion 

5 and individual authentication. A Personal Keying Device 
30 (shown in more detail in Figure 6a) preferably con- 
tains fixed or removable electronic storage and proces- 
sor 32, a keypad 34, a display 36, and a data transfer 
interface 38 that can be either wired or wireless (e.g., 

10 radio, infrared) and is compatible with an interface 31 
on a Crypto Media Controller 26. The Personal Keying 
Device 30 can be highly portable, e.g., pocket calculator 
size. Personal Keying Devices 30 may also be equipped 
with theft detection circuitry to prevent them from being 

is physically removed from the enclave working area. 

Crypto Media Controller 

The standard media controller on each Workstation 
20 1 o is replaced with a Crypto Media Controller 26. Crypto 
Media Controllers 26 perform key management, media 
encryption and decryption, and authentication func- 
tions. A Crypto Media Controller 26 has the same inter- 
faces as the standard media controllers, as well as a 
25 data transfer interface that is compatible with the one 
on the Personal Keying Device 30. The Crypto Media 
Controllers 26 can be the same size as the standard me- 
dia controllers they replace. 

30 Data Elements 

The present invention also includes a variety of data 
elements, as described below and schematically repre- 
sented in Figure 6b. 

35 

Enclave Key 

There is one Enclave Key 40 per organization. It is 
held in protected storage in the Security Server 24 and 
40 the Crypto Media Controllers 26, and is used to protect 
Media Keys 42 when they are being transmitted along 
the LAN 12. 

Media Key 

45 

There is one Media Key 42 assigned to each phys- 
ical unit of the media, whether that unit is fixed 2 or re- 
movable 4. Assignment is done when the media is ini- 
tialized at the Workstation 10. This key is used to protect 
so the data on the Media 2 or 4. 

Combined Keys 

Combined Keys 44 are generated in the operation 
ss of the present invention from other data elements and 
keys. 



9 



EP 0 636 259 B1 



10 



Media Unique Identifier (Media UID) 

Each physical unit of media, whether fixed 2 or re- 
movable 4, is assigned a Media Unique Identifier 46 
(Media UID). This number is generated by the Security 
Server 24, and stored in whatever field the Media 2 or 
4 software uses to identify physical units (e.g., Volume 
Label). The Media UID 46 is used to find the appropriate 
Media Key 42 in the Personal Keying Device 30, and to 
locate that data pertaining to the unit of media which is 
stored in the Security Server 24 (e.g., Media Attributes). 

User Unique Identifier (User UID) 

Each individual who has potential access to en- 
crypted media is assigned a User Unique Identifier 48 
(User UID) which is stored in that user's Personal Keying 
Device 30, encrypted with the Enclave Key 40. The User 
UID 48 forms part of the key used to protect Media Keys 
42 in the Personal Keying Device 30, and is used to ex- 
tract that data pertaining to the user 5 which is stored in 
the Security Server 24 (e.g., User Attributes). 

Personal Identification Number (PIN) 

Each user 5 is assigned a Personal Identification 
Number 50 (PIN), which is used to form part of the key 
that protects Media Keys 42 in the Personal Keying De- 
vice 30. 

Access Vector 

An Access Vector 52 is associated with each Media 
Key 42 stored in a Personal Keying Device 30. The Ac- 
cess Vector 52 is used to represent those possible con- 
ditions of access to the data enciphered with that Media 
Key 42 that may apply to the individual assigned to that 
Personal Keying Device 30. 

Media Attributes 

Media Attributes 54 are associated with each ele- 
ment of Media 2 or 4 to which a Media UID 46 has been 
assigned. Media Attributes 54 are used to represent the 
sensitivity or other security related information that may 
pertain to the data on that element of media. 

User Attributes 

A set of "User Attributes' 56 are associated with 
each user to which a User UID 48 has been assigned. 
User Attributes 56 are used to represent the privileges 
and other security related information which pertains to 
that user. 

Device Attributes 

Device Attributes 58 are assigned to each Crypto 



Media Controller 26, and reflects the Security Attributes 
57 of the machine in which the Crypto Media Controller 
26 is installed. Device Attributes 58 are combined with 
Access Vectors 52 to set limits on media access (e.g., 

s read only). Device Attributes 58 are typically defined by 
the physical security measures which surround the 
Workstation 10 in which the Crypto Media Controller 26 
is installed. For example, a Workstation 10 installed in 
an open environment may have Device Attributes 58 set 

10 to "Authorized to Process Public Data Only*, whereas 
one in a closed engineering facility may have Device At- 
tributes 58 set to "Authorized to Process Proprietary En- 
gineering Data." 

is Requests 

Requests 60 are transmitted back and forth be- 
tween the Crypto Media Controller 26 and Security 
Server 24 in the course of operations which require co- 
20 operation between the two devices. Requests 60 con- 
tain a variety of information depending on the nature of 
the operation being performed as well as optional integ- 
rity fields such as cyclic redundancy checks or check 
sums. 

25 

Countersigns 

The purpose of the Countersign 62 logic is to pre- 
vent malicious code in the Workstations 10 from mas- 

30 querading as the Security Server 24, and thereby dup- 
ing users 5 into taking inappropriate actions. Each time 
a user 5 is identified to the Security Server 24 (e.g., each 
new session), the Security Server 24 generates a 
"fresh" Countersign 62. Countersigns 62 are words, 

35 symbols, or phrases which are easy to remember and 
which are generated by some process which makes it 
computationally infeasible to guess from one Counter- 
sign 62 what the value of the next one will be. The Coun- 
tersign 62 for a session is presented by the Security 

40 Server 24 as a header to each message it sends to the 
user 5 when communicating over a Trusted Path. The 
present invention also provides a "Trusted Path." A 
Trusted Path is a logical communications path between 
a human user 5 and the Secure Computer 24 (Figure 

45 3). a Trusted Path differs from other modes of commu- 
nication in that there is a high degree of assurance on 
the part of both parties that the communication is au- 
thentic; that is, the human user is truly seeing what the 
secure computer intends the human user to see, and 

so the secure computer is making decisions on the basis 
of precisely what the human user has transmitted to it. 

The Countersign 62 is displayed to the user 5 on 
the Personal Keying Device 30 when the Trusted Path 
is in effect, and is protected from the Workstations 10 

55 and the communications media by cryptography and is 
computationally infeasible to guess. It's presence on the 
display of the Personal Keying Device 30 is a positive 
indication to a user that the communication in which the 
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user is engaged, is taking place over a Trusted Path to 
the Security Server 24. 

Countersigns 62 are arranged so that the logic in 
the Security Server 24 can, for any given Countersign 
62, determine what the previous Countersign 62 in the 
sequence was. That is, given a Countersign 62, the Se- 
curity Server 24 can compute or retrieve a correct value 
of the previous one, which is called the "last counter- 
sign' 62'. 

OPERATION OF DATA ENCLAVE 20 

The present invention makes use of cryptography 
to protect the data on Media 2 or 4 and uses an innova- 
tive method to distribute and protect the cryptographic 
keys in order to achieve security, flexibility, and ease of 
use. The same cryptographic services are used to pre- 
vent unauthorized access through the Wide Area Net- 
work 16, or the unauthorized use of privileged services. 

As described in more detail below, protection of the 
data on Media 2 or 4 takes place in three broad phases. 
The first phase, which is done very infrequently, is media 
initialization and key assignment to the individual user 
5 requesting the initialization. The second phase, which 
is also infrequently done, is the assignment of a key for 
already-initialized Media 2 or 4 to additional individuals. 
The third phase, which is done more frequently, is the 
keying of devices, so access to the data may be made. 

Media Initialization and Key Generation 

The media initialization and key generation phase 
generates a Media Key 42 and an Access Vector 52 for 
a unit of Media 2 or 4 and places them in enciphered 
form in the Personal Keying Device 30 assigned to the 
individual requesting the initialization. This data is also 
archived in the Security Server 24 so that it may be re- 
stored at a later time. 

Key Assignment 

The key assignment phase assigns a Media Key/ 
Access Vector pair, or combination, for an already-ini- 
tialized unit of media to a new individual. The Media Key 
42 will be a copy of the one generated when the unit of 
Media 2 or 4 was initialized. The Access Vector 52, since 
it depends on User Attributes 56 as well as Media At- 
tributes 54, will be newly computed. 

Keying of Devices 

The keying of devices phase automatically extracts 
the proper Media Key/Access Vector combination from 
the Personal Keying Device 30, decrypts them and uses 
them to allow controlled access to the unit of Media 2 or 
4. The Media Key/Access Vector combination are enci- 
phered with a Combined Key 44 which includes the us- 
er's PIN 50. This restricts a particular Media Key/Access 



Vector combination to the individual to whom it was as- 
signed. 

Media Initialization and Key Generation 

5 

The operations in the Media Initialization and Key 
Generation Phase occur when a blank unit of Media 2 
or 4 is to be prepared for safe use in the Enclave 20. 
This preparation involves initializing the Media 2 or 4, 
10 assigning a Media UID 46 to it, generating a Media Key 
42 which is unique to that unit of media, and assigning 
a Media Key/Access Vector pair to the user 5, initializing 
the media. 

The operations in this phase are keyed to the dia- 
*5 grams in Figure 7 through Figure 13. The logic used to 
implement the Trusted Path facilities is omitted from 
these diagrams. 

Stepj (Figure 7) 

20 

An individual brings together a blank unit of physical 
Media 2 or 4 and his or her Personal Keying Device 30 
to a Workstation 1 0 which is equipped with a Crypto Me- 
dia Controller 26 and attached to a Local Area Network 

25 1 2. If the Media 4 is removable, this is done by carrying 
Media 4 and Personal Keying Device 30 to an appropri- 
ate Workstation 10. If Media 4 is permanently installed 
(Fixed Media 2), Personal Keying Device 30 is brought 
to the Workstation containing the fixed media controlled 

30 by Crypto Media Controller 26, and the Workstation 10 
is temporarily attached to the Local Area Network 1 2. 

Step 2 (Figure 7) 

35 The individual user 5 desiring access to Media 2 or 
4 then enters his or her PIN 50 into Personal Keying 
Device 30 which transmits it to Crypto Media Controller 
26, where it is stored for use in later steps. 

40 Step 3 (Figure 71 

Crypto Media Controller 26 then extracts the en- 
crypted User UID 48' from their Personal Keying Device 
30, decrypts the User UID 48 using the Enclave Key 40, 
45 and stores it for use in later steps. 

Step 4 (Figure 8) 

Crypto Media Controller 26 forms a packet consist- 
so hg of the PIN 50, the User UID 48, and a Request 60 
for media initialization. The request field will include the 
nature of the request and appropriate supporting data 
such as the Security Attributes 57 to be assigned to Me- 
dia 2 or 4. Key Management Crypto 70 in Crypto Media 
55 Controller 26 enciphers it using the Enclave Key 40, and 
transmits it across the Local Area Network 1 2 to Security 
Server 24. 
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StepS (Figure 9) 

Security Server 24 receives the encrypted packet 
90, decrypts it using its copy of the Enclave Key 40, and 
stores the PIN 50, User UID 40, and Request 60 for use 5 
in later steps. 

Step 6 (Figure 10) 

Storage Search Logic 72 in Security Server 24 uses 
the User UID 48 to index User Attribute Data Base 80, 
which returns a pass value if the PIN 50 entered by the 
user 5 in Step 1 is the same as that stored in the data 
base, i.e., a valid PIN 50. User Attribute Data Base 80 
returns a fail value if the PIN 50 entered by the user is 
invalid. A fail value will cause the initialization process 
to abort and a notification to be sent back to Crypto Me- 
dia Controller 26, which will display it to the user 5 in an 
appropriate fashion. The abort sequence is not dia- 
grammed in the figures. 

Step 7 (Figure 10) 

Storage Search Logic 72 extracts the Media At- 
tributes 54 from the Request and commands Media At- 
tribute Data Base 82 to make an entry for the new ele- 
ment of Media 2 or 4. Since Media Attribute Data Base 
82 is indexed by the Media UID 46, this has the effect 
of creating a new Media UID 46 which is sent to Crypto 
Media Controller 26 and saved for use in later steps. 

Step 8 (Figure 11) 

Storage Search Logic 72 uses the User UID 48 to 
index User Attribute Data Base 80 and extract the set 
of Security Attributes 57 pertaining to this user, and 
passes these attributes to Security Policy Logic 86. 

Step 9 (Figure 11) 

Security Policy Logic 86 accepts the Media At- 
tributes 54 and User Attributes 56, and, using a set of 
rules defined by the administrators of the facility, com- 
putes an Access Vector 52 which defines limits on the 
access this user 5 may have to this unit of Media 2 or 4. 
This computation may involve the intervention of admin- 
istrative personnel to authorize or deny the granting of 
certain privileges. 

Step 10 (Figure 12) 

Key Management Crypto 70, with the optional aid 
of authorized individuals, then generates a Media Key 
42 for this unit of Media 2 or 4. The manner of generation 
can involve computation, access to stored tables, re- 
quests for inputs from authorized individuals, or any 
combination thereof. Other methods of key generation 
may also be used. The Media Key 42 and Access Vector 



52 pair 91 are enciphered with a combined key 44 con- 
sisting of the User UID 48, the user's PIN 50 and the 
Enclave Key 40. 

Step 11 (Figure 12) 

The enciphered packet is sent to Storage Search 
Logic 72 where the User UID 48 and Media UID 46 are 
used to store the enciphered packet 92 in Crypto Key 
Data Base 84. The Media UID and the enciphered pack- 
et 92 are transmitted along the LAN 1 2 to Crypto Media 
Controller 26. 

Step 12 (Figure 13) 

The Media UID 46 arrives at Crypto Media Control- 
ler 26 and is written to the appropriate location on Media 
2 or 4 (e.g., Volume Label). 

Step 13 (Figure 13) 

The enciphered Media Key/Access Vector pair 
packet 92 arrives at Crypto Media Controller 26 and the 
Media UID 46 is used as an index to store the enci- 
phered pair packet 92 in Personal Keying Device 30. 

At this point the initialization process is complete. 
The media can be identified and the individual Personal 
Keying Device 30 contains a Media Key 42 which can 
only be used by someone who has physical possession 
of that Personal Keying Device 30, knows that individu- 
al's PIN 50, and has the Media 2 or 4 controlled by a 
Crypto Media Controller 26 containing the Enclave Key 
40. The individual's Personal Keying Device 30 also 
contains an Access Vector 52 which defines further re- 
strictions on access in a manner that is specific to the 
individual who has physical possession of that Personal 
Keying Device 30 and knows that individual's PIN 50. 

Key Assignment 

The operations in the Key Assignment Phase of the 
invention occur when an already-initialized unit of Media 
2 or 4 is to be shared with a user 5 other than the one 
who initialized it. In this case, the unit of Media 2 or 4 
has a Media Key 42 generated for it, and a Media Key/ 
Access Vector pair 91 has been assigned to the initial 
user of the unit Media 2 or 4. The necessary steps are 
to copy the Media Key/Access Vector pair 91 to the new 
user 5. 

The operations in this description are keyed to the 
diagrams in Figure 14 through Figure 18. The logic used 
to implement the Trusted Path facilities is omitted from 
these diagrams. 

Stepl (Figure 14) 

An individual brings together a unit of physical Me- 
dia 2 or 4 and his or her Personal Keying Device 30 to 
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a Workstation 10 which is equipped with Crypto Media 
Controller 26, and which is attached to the Local Area 
Network 1 2. If Media 2 or 4 is removable, this is done 
by carrying Media 4 and their Personal Keying Device 
30 to an appropriate Workstation 10. If Media 2 or 4 is 5 
permanently installed (fixed media), Personal Keying 
Device 30 is brought to the computer containing the 
fixed Media 2 controlled by Crypto Media Controller 26. 

Step 2 (Figure 14) 

The individual desiring access to Media 2 or 4 then 
enters his or her PIN 50 into Personal Keying Device 30 
which transmits it to Crypto Media Controller 26, where 
it is stored for use in later steps. 

Step 3 (Figure 14) 

Crypto Media Controller 26 then extracts the en- 
crypted User UID 48 from Personal Keying Device 30, 
decrypts the User UID 48 using the Enclave Key 40 and 
stores it for use in later steps. 

Step 4 (Figure 14) 

Storage Search Logic 72 in Crypto Media Controller 
26 then reads the Media UID 46 off Media 2 or 4 and 
searches Personal Keying Device 30 for a Media Key/ 
Access Vector pair 91 for this unit of Media 2 or 4 for 
this user 5. Finding none, it generates a Request 60 for 
key assignment. 

Step 5 (Figure 15) 

Key Management Crypto 70 forms a request packet 
94 consisting of the PIN 50, User UID 48, Media UID 46 
and Request 60, encrypts it with the Enclave Key 40, 
and transmits it over the Local Area Network 12 to Se- 
curity Server 24. 

Step 6 (Figure 16) 

Security Server 24 receives the encrypted packet 
94, decrypts it using its copy of the Enclave Key 40, and 
stores the PIN 50, User UID 48, Media UID 46 and Re- 
quest 60 for use in later steps. 

Step 7 (Figure 16) 

Storage Search Logic 72 in Security Server 24 uses 
the User UID 48 to index User Attribute Data Base 80. 
User Attribute Data Base 80 returns a pass value if the 
PIN 50 entered by the user 5 was the same as that 
stored in the data base (i.e. valid). User Attribute Data 
Base 80 returns a fail value if the PIN 50 entered by the 
user is invalid. A fail value will cause the assignment 
process to abort and a notification to be sent back to 
Crypto Media Controller 26, which will display it to the 



16 

user in an appropriate fashion. The abort sequence is 
not diagrammed in the figures. 

Step 8 (Figure 16) 

The User UID 48 is used as an index into User At- 
tribute Data Base 80 by Storage Search Logic 72, and 
the Security Attributes 57 of the user 5 requesting key 
assignment are extracted and passed to Security Policy 
Logic 86. 

Step 9 (Figure 16) 

The Media UID 46 is used as an index into Media 
Attribute Data Base 82 by Storage Search Logic 72, and 
the Security Attributes 57 of the denoted item of Media 
2 or 4 are extracted and passed to the Security Policy 
Logic 86. 



Security Policy Logic 86 accepts these Attributes 
57, and, using a set of rules defined by the administra- 
tors of the facility, computes an Access Vector 52 which 
defines limits on the access this user 5 may have to this 
unit of Media 2 or 4. This computation may involve the 
intervention of administrative personnel to authorize the 
granting or denying of certain privileges. This Access 
Vector 52 is saved for use in later steps. 

Step 11 (Figure 17) 

The Media UID 46 is used by Storage Search Logic 
72 to find an enciphered key packet in Crypto Key Data 
Base 84 which has been previously stored and which 
contains a Media Key 42 for this unit of media. Since the 
Media 2 or 4 has been initialized and assigned a Media 
UID 46, then at least one such packet must exist. Any 
such packet will suffice, since all packets pertaining to 
a given unit of Media 2 or 4 will contain the same Media 
Key 42. When such a packet is found, the Media Key 42 
is extracted from it for use in later steps. 

Step 12 (Figure 17) 

A new Key Packet 93 is formed consisting of the 
Media Key 42, Access Vector 52, User UID 48, and Me- 
dia UID 46 and placed in Crypto Key Data Base 84 for 
archival storage and retrieval. 

Step 13 (Figure 17) 

The Media Key and Access Vector pair 91 are en- 
ciphered with a Combined Key 44 consisting of the User 
UID 48, the user's PIN 50, and the Enclave Key 40, and 
the enciphered packet 92 is transmitted along the LAN 
12 to Crypto Media Controller 26. 
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Step 14 (Figure 181 

The Media UID 46 is used as an index to store the 
enciphered Media Key/Access Vector pair 91 in Person- 
al Keying Device 30. 

At this point the new individual's Personal Keying 
Device 80 contains a Media Key 42 which can only be 
used by someone who has physical possession of that 
Personal Keying Device 30, knows that individual's PIN 
50, and has the Media 2 or 4 controlled by a Crypto Me- 
dia Controller 26 containing the Enclave Key 40. The 
individual's Personal Keying Device 30 also contains an 
Access Vector 52, which defines further restrictions on 
access in a manner that is specific to the individual who 
has physical possession of that Personal Keying Device 
30 and knows that individual's PIN 50. 

Keying of Devices 

The operations in the Keying of Devices Phase oc- 
cur when a Media Key/Access Vector pair 91 for a unit 
of Media 2 or 4 has been assigned to a user 5, and that 
user 5 wants to exercise the assigned accesses. The 
steps in this description are keyed to the diagrams in 
Figures 1 9 and 20. The logic used to implement the 
Trusted Path facilities is omitted from these diagrams. 

StegJ (Figure 19) 

An individual user 5 establishes a data transfer in- 
terface between his or her Personal Keying Device 30 
and any Crypto Media Controller 26 containing the En- 
clave Key 40, and between that Crypto Media Controller 
26 and Media 2 or 4 the individual user 5 desires to ac- 
cess. In the latter case, this will involve placing the unit 
of Media 4 into the appropriate device (e.g., diskette 
drive). 

Step 2 (Figure 19) 

The individual user 5 desiring access to Media 2 or 
4 then enters his or her PIN 50 into Personal Keying 
Device 30 which transmits it to Crypto Media Controller 
26, where it is stored for use in later steps. 

Step 3 (Figure 19) 

Storage Search Logic 72 in Crypto Media Controller 
26 reads the Media 2 or 4 and extracts the Media UID 
46. 

Step 4 (Figure 19) 

Using the Media UID 46, Storage Search Logic 72 
searches Storage 78 in Personal Keying Device 30 and 
extracts the enciphered Media Key/Access Vector pair 
packet 92 and passes it to Key Management Crypto 70. 



Step 5 (Figure 19) 

The enciphered User UID 48' is fetched from Per- 
sonal Keying Device 30 and deciphered using the En- 
s clave Key 40. 

Step 6 (Figure 19) 

The User UID 48, PIN 50, and Enclave Key 40 are 
then combined to form the Combined Key 44 to decrypt 
the Media Key/Access Vector packet 92. The Media Key 
42 is passed to Data Crypto 74, and the Access Vector 
52 is passed to Access Control Logic 76. 



Workstation's 10 internal logic makes a request for 
data. That logic need not be aware the data is protected 
by cryptography. The request illustrated in the figure is 
20 a "read" request, but the handling of "write 0 requests are 
symmetric. 

Step 8 (Figure 20) 

25 Enciphered data 3' is then fetched from Media 2 or 
4. 

Step 9 (Figure 20) 

30 Data Crypto 74 deciphers the data using the Media 
Key 42 and passes data 3 to the Access Control Logic 
76. 

Step 10 (Figure 20) 

35 

Access Control Logic 76 consults the Access Vector 
52 and the Device Attributes 58 contained within itself 
and decides whether the desired mode of access ("read, 
■ "write," etc.) shall be permitted. If not, the data transfer 
40 is aborted and an error indication is sent to the Work- 
station 10. 

At this point the data has been transferred to the 
Workstation 10 for processing. Removal of the Media 2 
or 4 or the Personal Keying Device 30 from the Crypto 
45 Media Controller 26 will cause the complete reset of the 
Crypto Media Controller 26 and require the keying proc- 
ess be started from the beginning. 



This phase of the operation involves the steps 
whereby a user 5 presents his or her identity to the Se- 
55 curity Server 24 and has that identity authenticated and 
a set of privileges associated with the user 5 at the Se- 
curity Server 24. 

This operation is protected against forged identities 



is Step 7 (Figure 20) 



Trusted Path 

so 

Identification and Authorization 
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and authentications, and so-called 'replay 0 attacks in 
which malicious software in other Workstations 1 0 mas- 
querades as the authentications mechanism, accepts 
identification and authorization data (such as pass- 
words) from an unwitting user 5, and then passes that 
data to an unauthorized individual. 

The operation is also protected against compro- 
mise of the authentication data in the Personal Keying 
Device 30. The invention uses the Countersign logic to 
effect this protection. It will be recalled that Countersigns 
62 come in a sequence which is generated by the Se- 
curity Server 24, but which is computationally inf easibie 
for an outsider to guess. Thus, for each Countersign 62, 
the Security Server 24 (but no one else) can determine 
the value of Last Countersign 62*. 

The Last Countersign 62' for a given is stored in a 
distinguished location in that user's Personal Keying 
Device 30. At each identification and authentication in- 
teraction the Last Countersign 62' is extracted from the 
Personal Keying Device 30 and compared with the Last 
Countersign 62* independently generated or retrieved 
by the Security Server 24. If the two values are unequal 
then it is known that the identification and authentication 
process has been compromised and suitable alarms are 
raised. 

The manner in which this mechanism operates can 
be made clear from example. Assume that the se- 
quence of Countersigns 62 is "A," "B," "C," etc. Further 
assume that a given user's Personal Keying Device 30 
contains the Last Countersign 62' value "A". Since it is 
computationally inf easibie for an attacker to guess this 
value, the attacker's recourse is to either steal the Per- 
sonal Keying Device 30 or copy the data from it. 

If the attacker steals the Personal Keying Device 
30, then its absence will be noted and alarms will be 
raised. If the attacker copies the Last Countersign 62' 
and by some subterfuge succeeds in being authenticat- 
ed as the legitimate user 5, then the identification and 
authentication process will update the Last Countersign 
62' value in the spurious Personal Keying Device 30 to 
"B." When the legitimate user 5 attempts identification 
and authentication, the Last Counterside 62' in his or 
her Personal Keying Device 30 will still be at ■A"; the 
difference will be noted by the Security Server 24 and 
alarms raised. 

Thus, the copying and successful use of data from 
a Personal Keying Device 30 will enable a false identity 
to be presented to the Security Server 24 only until the 
time at which the legitimate user 5 attempts identifica- 
tion and authentication. 

The steps involved in this phase of the operation 
are keyed to the diagrams given in Figure 21 through 
Figure 24. The logic used in data protection is omitted 
from these diagrams. 

Step 1 (Figure 21) 

The User UID 48, encrypted with the Enclave Key 



(48') is extracted from the user's Personal Keying De- 
vice 30. 

Step 2 (Figure 21 ) 

5 

The Last Countersign 62' (denoted "Old C/S" in Fig- 
ure 21 ), encrypted with the Enclave Key 40, is extracted 
from the user's Personal Keying Device 30. 



The user 5 desiring access to operations on the Se- 
curity Server 24 then enters his or her PIN 50 through 
the keyboard on the Personal Keying Device 30. 

15 

Step 4 (Figure 21) 

The User UID 48' and Last Countersign 62' are de- 
crypted, combined with the PIN 50, and re-encrypted 
20 with the Enclave Key 40 for transmission to the Security 
Server 24. 

StepS (Figure 22) 

25 The combined Last Countersign 62', PIN 50, and 
User UID 48 are decrypted using the Enclave Key 40 
and passed to the storage search logic 72. That logic 
searches the User Attributes Data Base 80 for the au- 
thentication record belonging to this user 5, compares 

30 the User UID/PIN combination 92 that was entered 
against the stored value, and checks the Last Counter- 
sign 62' from the Personal Keying Device 30 against the 
stored value from the previous identification and authen- 
tication interaction. Based on these checks the logic 

35 computes a Result 94 (e.g., "Login Successful," "Login 
Failed") and in the case of successful identification, a 
set of privileges which that user may exercise in future 
interactions with the Security Server 24. Also in the case 
of successful identification, the next Countersign 62 in 

40 the sequence is generated, stored in the User Attribute 
Data Base 80 as the new Last Countersign 62' and 
saved for use in the next step. This value is denoted 
"New C/S" in the figures. 



The Result 94 and the updated Countersign 62 val- 
ue is encrypted with the Enclave Key 40 and transmitted 
to the Crypto Media Controller 26. 

so 

Step 7 (Figure 24) 

The combined Result and updated Countersign 62 
is decrypted. The updated Countersign 62 is encrypted 
55 with the Enclave Key 40 and stored in the user's Per- 
sonal Keying Device 30 as the new value of Last Coun- 
tersign 62'. The Countersign and result are displayed on 
the display portion of the Personal Keying Device 30. 



10 Step 3 (Figure 21) 



45 Step 6 (Figure 23) 
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At this point, the user has been authenticated to the 
Security Server 24 and assigned a set of Privileges 95, 
which may be invoked at a later time. The Security Serv- 
er 24 has also displayed to the user 5 the Countersign 
62 that it will use in the session to authenticate itself to s 
the user. 

Privileged Services 

This phase of the operation involves a user 5, 
whose identity has already been presented to and au- 
thenticated by the Security Server 24, invoking a privi- 
leged operation by that Server 24. The user is identified 
to the Security Server 24 by the User UID 48. The Se- 
curity Server 24 is authenticated to the user by the 
Countersign 62. 

The steps involved in this phase of the operation 
are keyed to the diagrams given in Figure 25 to Figure 
28. The logic used in data protection is omitted from 
these diagrams. 

Stepl (Figure 25) 

The user 5 signals his or her desire to invoke a priv- 
ileged operation by an appropriate entry in the keyboard 
34 of the Personal Keying Device 30. This entry is 
shown as ■ATTN" in the Figures. The User UID 48 is 
then extracted from the Personal Keying Device 30. 

Step 2 (Figure 25) 

The combination of the "ATTN" signal and the User 
UID 48 is encrypted with the Enclave Key 40 and trans- 
mitted to the Security Server 24. 

Step 3 (Figure 26) 

The combination of the "ATTN" signal and the User 
UID 48 is decrypted using the Enclave Key 40. 

Step 4 (Figure 26) 

The User UID 48 is transferred to the Storage 
Search Logic 72 and the "ATTN 1 ' signal is transferred to 
the Privileged Operation Logic 73. 

StepS (Figure 26) 

The Storage Search Logic 72 then extracts the us- 
er's Privileges 95 from the User Attribute Data Base 80 
and passes them to the Privileged Operation Logic 73. 

Step 6 (Figure 27) 

The Storage Search Logic 72 extracts the Counter- 
sign 62 from the User Attribute Data Base 80 and pass- 
es it to the Key Management Crypto 70, which encrypts 
it with the Enclave Key 40 and transmits it to the Crypto 



Media Controller 26, which initiated the request. 
Step 7 (Figure 28) 

The Crypto Media Controller 26 decrypts the Coun- 
tersign 62 and causes it to be displayed on the Personal 
Keying Device 30. 

At this point, both the user and the Security Server 
24 are aware, in authenticated fashion, that a privileged 
operation is to be invoked. The invocation of the opera- 
tion, which may involve multiple interactions, can then 
proceed. The operation is terminated by a series of 
steps which is symmetric to those presented above. 

An alternate, preferred embodiment of the Trusted 
Path is described further below, with reference to Fig- 
ures 29 - 34. The Trusted Path phase of the Data En- 
clave process is preferably implemented using the rel- 
evant aspects of this alternate embodiment. These as- 
pects include Identification and Authentication, Trusted 
Command Initiation (Privileged Services) and Key Man- 
agement. 

ADVANTAGES OVER PRIOR ART 

The Data Enclave System of the present invention 
provides a number of advantages over the prior art, as 
outlined below. 

Security 

The data enclave invention offers comprehensive 
security to the data within the Enclave 20; there are no 
"sneak paths" or "holes" that exist in approaches where 
the data is protected on media but the Wide Area Net- 
work 16 connections are open, or vice versa. 

The invention minimizes the damage that can be 
done by privileged individuals who become subverted. 
Cryptographic keys are transmitted and stored entirely 
in enciphered form. Weil-known techniques (so-called 
"antitamper" technology) can be used to protect the En- 
clave Key when it is stored in the Crypto Media Control- 
lers 26 and the Security Server 24. Theft of elements of 
the invention such as the Personal Keying Device 30 
and the Crypto Media Controllers 26 does not compro- 
mise any part of the operation of the invention. 

Low Cost 

The invention uses a small number of special ele- 
ments in a wide variety of ways. Maximum use is made 
of the cryptographic devices, which are typically the 
most expensive parts of a data security device. The 
same devices are used for media protection and authen- 
ticated interactions with the Security Server. 

Ease of Use 

Individuals desiring access to media have to deal 
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with the Security Server only when media is initialized. 
'Unlocking" a unit of media requires an operation no 
more complicated than using a TV remote control. Over- 
head and delay is concentrated at the time a media is 
■unlocked" and no delays or incompatibilities are intro- 
duced during operations using the media. 

Identification and authentication of users to the Se- 
curity Server 24 is both simpler and more robust than 
prior art such as passwords. The same basic steps are 
used for security operations dealing with media and 
dealing with the Security Server 24. 

Exceptional or emergency situations can be accom- 
modated, A trusted command initiation can override a 
security policy enforced by the Security Server 24 and 
release data to persons who would normally be unau- 
thorized to access it. 

Flexible Control of Media 

In the data protection area, the system associates 
Media 2 or 4 primarily with users and secondarily with 
machines. This is a more natural structure than one 
where Media 2 or 4 is only useable on a single machine. 

The access control logic, which computes allowed 
access at the last possible moment using the combina- 
tion of an individual's Access Vector 52 and the Device 
Attributes 58 assigned to a particular Workstation, can 
be used to enforce a variety of security policies. For ex- 
ample, an individual's access to data may be restricted 
not only on the basis of the individual's attributes, but 
also to protected physical locations. Thus, an individu- 
al's Access Vector 52 may grant "read" access to a unit 
of media which contains proprietary engineering data, 
but the comparison against the Device Attributes 58 of 
the Crypto Media Controller 26 making the access may 
restrict display of the contents of the unit of media to 
those machines inside a particular facility or office. 
Physical security measures can then be used to restrict 
who may be in the vicinity when the data is displayed. 
Prior art in this area permits only an "all or nothing" ap- 
proach to access. 

Sharing and Backup of Media 

An individual's access to an initialized media can be 
restored, or a second individual granted access, by 
bringing together the media, the requisite Personal Key- 
ing Device 30, and a Workstation 10 equipped with a 
Crypto Media Controller 26 that is keyed with the appro- 
priate Enclave Key. 

Positive Control of Privileged Operations 

Remotely invoked privileged operations at the Se- 
curity Server 24 are under the positive control of the user 
5. That control is cryptograph ically protected and mutu- 
ally authenticated. 



24 

ALTERNATE EMBODIMENT OF DATA ENCLAVE 
SYSTEM 

An alternate embodiment of the Data Enclave Sys- 
5 tern 20 is shown in Figs. 29, 30 and 31 . Alternate em- 
bodiment 300 provides for operation of the Data Enclave 
System in a non-networked environment. 

Data Elements 

10 

The data elements of the alternate embodiment 300 
correspond to those described with reference to embod- 
iment 20. 

15 Processing Elements 

Crypto Support Center 

A Crypto Support Center 310 is provided for each 
20 organization or set of organizations. The Crypto Support 
Center 310 is used for archival storage and distribution 
of cryptographic keys. Crypto Support Center 310 is per- 
manently installed in a secure area, and includes a Se- 
cure Computer 31 1 and a Communications Security De- 
2S vice 312. Secure Computer 311 may be of generally the 
same design as Security Server 24 as described and 
illustrated with reference to embodiment 20. However, 
there is no requirement that the Secure Computer 311 
be networked to the work stations 340 within the organ- 
30 ization. 

Local Crypto Support Device 

There is at least one local Crypto Support Device 

35 320 for each organization. Each local Crypto Support 
Device 320 is portable, for example, lap-top computer 
size. Preferably, local Crypto Support Devices 320 are 
equipped with theft detection circuitry, such as that used 
to deter shoplifting. Local Crypto Support Devices 320 

40 are used in key distribution and are equipped with a 
Communications Security Device 322 that is compatible 
with the Communication Device 312 in Crypto Support 
Center 310. Local Crypto Support Device 320 includes 
a Key Management Crypto 324 which functions sub- 

45 stantially the same as the Key Management Crypto 70 
described with reference to the embodiment 20 of the 
data enclave system, insofar as media initialization, key 
generation and key assignment are concerned. Crypto 
Support Devices 320 further include a disk drive 326, 

50 which may be used to read and write removable media 
302, and a data interface 328, which may be coupled to 
a Crypto Media Controller in a Workstation 340. The in- 
terface can either be wired or wireless (for example, ra- 
dio infra-red). 

55 

Personal Keying Device 

Each user is issued a Personal Keying Device 330 
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of the same design as Personal Keying Device 30 de- 
scribed above with reference to embodiment 20 of the 
Data Enclave System. Personal Keying Device 330 is 
used for key insertion and individual authentication. Per- 
sonal Keying Device 330 includes electronic storage 

331 , a key pad, a display and a Data Transfer Interface 

332, which is compatible with the Data Transfer Inter- 
face in the local Crypto support device 320. Personal 
Keying Devices 330 may also be equipped with theft de- 
tection circuitry. 

Crypto Media Controller 

Each work station 340 operating within the enclave 
300 includes a Crypto Media Controller 342 of the same 
design as Crypto Media Controller 26, with the excep- 
tion that Crypto Media Controller 342 does not include 
logic and functions for media initialization and key gen- 
eration, or key assignment for already initialized media. 
Crypto Media Controller 342 further includes a Data In- 
terface 344 compatible with Data Interface 328 in the 
Local Crypto Support Device 320. 

OPERATION OF ALTERNATE EMBODIMENT 300 

Alternate embodiment 300 is similar in many re- 
spects to embodiment 20, except that Local Crypto Sup- 
port Device 320 and Crypto Support Center 31 0 perform 
certain functions performed by Crypto Media Controller 
26 and Security Server 24, respectively, embodiment 
20. Namely, those functions described in Steps 1-13 
of the Media Initialization and Key Generation and the 
Key Assignment process (for initialized media) Steps 1 
- 14 of embodiment 20. In addition, the Local Area Net- 
work 1 2 link used in embodiment 20 is replaced with the 
secure connection established between Communica- 
tions Security Devices 312 and 322 in the Local Crypto 
Support Device 320 and Crypto Support Center 310. 

Media Initialization and Key Assignment 

The following description of the media initialization 
and key assignment operation refers to Figs. 30 and 31 . 

An individual brings together a blank unit of physical 
media 302, his or her Personal Keying Device 330, and 
the appropriate Local Crypto Support Device 320. If the 
media is fixed, Personal Keying Device 330 and local 
Crypto support device 320 are brought to the Worksta- 
tion 340 containing the fixed media 302. As shown in 
Fig. 30, data interfaces are then established between 
Personal Keying Device 330 and Local Crypto Support 
Device 320 on the one hand and in between Local Cryp- 
to Support Device 320 and the Crypto Media Controller 
342 for the fixed media on the other. Once these inter- 
faces are established, a secure link is made between 
Local Crypto Support Device 320 and Crypto Support 
Center 310 using the Communication Security Devices 
312 and 322. The Trusted Path Protocol of the present 



invention may be used to establish a secure link. 

If the media 302 is removable, the media 302 is 
brought to the Local Crypto Support Device 320, where 
it can be read and written using Disk Drive 326. This 

s configuration is shown in Figure 31 . 

The individual desiring access to Media 302 then 
enters his or her PIN 58 into Personal Keying Device 
330 which transmits it to Local Crypto Support Device 
320. Local Crypto Support Device 320 extracts the en- 

10 crypted User UID 56 from Personal Keying Device 330 
and decrypts it using the Enclave Key 50. 

Local Crypto Support Device 320 then initiates a se- 
cure connection to the Crypto Support Center 310 and 
transmits the User UID 56 to it 

*5 Local Crypto Support Device 320 and the Crypto 
Support Center 310, with the optional aid of authorized 
individuals, generate a Media UID 54, Media Key 52, 
and Access Vector 60 for use of the media 302. At the 
end of this process, the Media UID 54, Media Key 52, 

20 User UID 56, and Access Vector 60 are archived togeth- 
er at the Crypto Support Center 310 and stored tempo- 
rarily in Local Crypto Support Device 320. 

Local Crypto Support Device 320 then writes the 
Media UID 54 to an appropriate location on Media 302 

25 (e.g., Volume Label). It combines the User UID 56, En- 
clave Key 50, and PIN 58 to form a key with which it 
enciphers the Media Key/Access Vector pair 62. It uses 
the Media Ul D 54 to index storage 332 of Personal Key- 
ing Device 330 and stores the enciphered pair 62 in the 

30 appropriate location. 

At this point, the initialization is complete. Media 
302 can be identified and the individual's Personal Key- 
ing Device 330 contains a Media Key 52 which can onty 
be used by an individual who has physical possession 

35 of that Personal Keying Device 330, knows that individ- 
ual's PIN 50, and has Media 302 controlled by a Crypto 
Media Controller 342, containing the Enclave Key. 

Keying of Devices 

40 

An individual establishes a data transfer interface 
between his or her Personal Keying Device 330 and any 
Crypto Media Controller 342 containing the Enclave 
Key, and between that Crypto Media Controller 342 and 

45 the Media 302 the individual desires to access. If the 
media 302 is removable, this will involve placing the unit 
of media 302 into the appropriate device (e.g. diskette 
drive) or the Workstation 340. From this point on, the 
alternate embodiment 300 operates in the same manner 

50 as the first described Data Enclave embodiment 20, as 
set forth in Steps 1-10 under the heading "Keying of De- 
vices." 

Key Assignment for Already Initialized Media 

55 

Key assignment is performed in substantially the 
same fashion as Media Initialization and Key Genera- 
tion, insofar as the configuration and interaction of the 
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Personal Keying Device 330, Workstation 340, Local 
Crypto Support Device 330 and Support Center 310 in- 
teract to generate a Media Key/Access Vector pair 91 
for the already initialized media 302 by reference to the 
archived Media Key 42 for the media. 

The present invention is to be limited only in accord- 
ance with the scope of the appended claims, since oth- 
ers skilled in the art may devise other embodiments still 
within the limits of the claims. The above-described de- 
tailed architectures are not meant to be limiting, and oth- 
er equivalent forms may be substituted if desired. 



Claims 

1. A data enclave (20) for securing data carried on 
physical units of fixed (2) and removable (4) media, 
the data enclave (20) including a security server 
(24) connected over a network (42) to one or more 
workstations (10), wherein each workstation (1 0) in- 
cludes a crypto media controller (26) used to read 
one of said physical units of media (2,4), the data 
enclave further comprising: 

an enclave key (40) used to encrypt data trans- 
mitted within the data enclave (20), wherein a 
copy of the enclave key (40) is stored in the se- 
curity server (24) and the workstations (10); 
a personal keying device (30) for each user in 
the data enclave (20); 

a personal identification number (PIN) (50) and 
a user unique identifier (user UID) (48) as- 
signed to each user in the enclave (20), wherein 
each user UID (48) is encrypted with the en- 
clave key and stored in the personal keying de- 
vice (30) of the user associated with the user 
UID; 

a set of user attributes (56) provided for each 
user, wherein each set of user attributes (56) 
represents user privileges and other security 
related information pertaining to a particular us- 
er and wherein each set of user attributes (56) 
is associated with the user UID (48) of its re- 
spective user; 

a media key (42) for each physical unit of media 
(2,4), wherein the media key (42) is used to en- 
crypt and protect data carried on the media; 
a media unique identifier (media UID) (46) for 
each physical unit of media (2,4); and 
a set of media attributes (54) provided for each 
physical unit of media (2,4), wherein each set 
of media attributes (54) represents sensitivity 
or other security related information pertaining 
to data carried on a particular unit of media and 
wherein each set of media attributes (54) is as- 
sociated with the media UID (46) of its respec- 
tive physical unit of media (2,4); characterised 
in that 



the security server (24) comprises: 

security policy logic (86) for computing, 
from the set of user attributes assigned to 

5 a particular user (5) and the set of media 

attributes assigned to a particular unit of 
media (2,4), an access vector (52) which 
defines limits on access by the particular 
user (5) to the particular unit of media (2,4); 

10 and 

a key management crypto (70) for combin- 
ing the access vector (52) and the media 
key (42) assigned to the particular unit of 
media (2,4) to form a media key/access 

1$ vector pair (9 1 ) and for enciphering the me- 

dia key/access vector pair (91 ) with a com- 
bined key formed from the enclave key (40) 
and the user UID (48) and PIN (50) of the 
particular user (5); 

20 wherein the personal keying device (30) 

comprises means (78) for storing the enci- 
phered media key/access vector pair (91); 
and 

wherein the crypto media controller (26) 
25 comprises means (70, 72, 76) for control- 

ling access to data on the particular unit of 
media (2,4) as a function of the PIN (50) of 
the particular user (5), the media UID (46) 
of the particular physical unit of media (2,4) 
30 and the media key/access vector pair (91 ) 

retrieved from the personal keying device 
(30) of the particular user (5). 

2. A data enclave method for securing data carried on 
35 physical units of fixed (2) and removable (4) media 
in a data enclave (20) including a security server 
(24) connected over a network (12) to one or more 
workstations (10), wherein each workstation (10) in- 
cludes a crypto media controller (26) used to read 
40 one of said physical units of media (2,4), the method 
comprising the steps of: 

providing an enclave key (40) used to encrypt 
data transmitted within the data enclave (20); 

45 storing a copy of the enclave key (40) in the se- 

curity server (24) and the workstations (10); 
providing a personal keying device (30) for 
each user in the data enclave (20); 
assigning a personal identification number 

50 (PIN) (50) and a user unique identifier (user 

UID) (48) to each user in the enclave (20); 
assigning a set of user attributes (56) for each 
user, wherein each set of user attributes (56) 
represents user privileges and other security 

55 related information pertaining to a particular us- 

er; 

associating each set of user attributes (56) with 
the user UID (48) of its respective user; 
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encrypting each user UID (48) with the enclave 
key and storing each encrypted user UID (48') 
in the personal keying device (30) of the user 
associated with the user UID (48); 
assigning a media key (42) and a media unique s 
identifier (media UID) (46) for each physical 
unit of media (2,4), wherein the media key (42) 
is used to encrypt and protect data carried on 
the media; 

assigning a set of media attributes (54) for each 10 
physical unit of media (2,4), wherein each set 
of media attributes (54) represents sensitivity 
or other security related information pertaining 
to data carried on a particular unit of media; and 
associating each set of media attributes (54) is 
with the media UID (46) of its respective phys- 
ical unit of media (2,4); and characterised by 
computing, from the set of user attributes as- 
signed to a particular user (5) and the set of me- 
dia attributes assigned to a particular unit of 20 
media (2,4), an access vector (52) which de- 
fines limits on access by the particular user (5) 
to the particular unit of media (2,4); 
combining the access vector (52) and the me- 
dia key (42) assigned to the particular unit of 25 
media (2,4) to form a media key/access vector 
pair (91); 

enciphering the media key/access vector pair 
(91) with a combined key formed from the en- 
clave key (40) and the user UID (48) and PIN 30 
(50) of the particular user (5); and 
storing the enciphered media key/access vec- 
tor pair (91 ) in the personal keying device (30) 
of the particular user (5); and 
controlling access to data on the particular unit 35 
of media (2,4) as a function of the PIN (50) of 
the particular user (5), the media UID (46) of 
the particular physical unit of media (2,4) and 
the media key/access vector pair (91 ) retrieved 
from the personal keying device (30) of the par- 40 
ticular user (5). 

A method according to claim 2 wherein the method 
further comprises the step of providing device at- 
tributes for each workstation (10), the device at- *s 
tributes representing security attributes of the work- 
stations (1 0), and wherein the step of controlling ac- 
cess comprises the steps of: 

determining the workstation (1 0) being used by so 
the particular user (5); 

retrieving the device attributes (58) associated 
with the workstation (1 0) being used by the par- 
ticular user (5); 

extracting the access vector (52) from the en- ss 
crypted media key/access vector pair (91 ) re- 
trieved from the personal keying device (30) of 
the particular user (5); and 



combining the retrieved device attributes (58) 
with the extracted access vector (52) to deter- 
mine access rights by the particular user (5) on 
the particular workstation (10). 

4. A method according to claim 2 wherein the method 
further comprises the steps of: 

(a) providing key management crypto logic in 
each crypto media controller for (i) receiving a 
requesting user's PIN from a personal keying 
device (ii) receiving an encrypted user UID from 
the personal keying device and decrypting the 
user UID using the enclave key, and (iii) forming 
a first packet including the requesting user's 
PIN, the user UID and a request for initialization 
of a new unit of media, the request including 
the media attributes for the new unit of media; 

(b) providing key management crypto logic in 
the server for decrypting the first packet using 
the enclave key stored in the server, 

(c) providing storage search logic in the server 
for (i) reading a user attribute data base stored 
in the server using the user UID as an index, 

(ii) returning a pass value if the requesting us- 
er's PIN received in the first packet matches a 
valid PIN stored in the user attribute data base, 

(iii) aborting the request for initialization if the 
requesting user's PIN is not valid, (iv) extracting 
the media attributes from the request and com- 
manding a media attribute data base stored in 
the server to make an entry for the new unit of 
media, and to create a new media UID for the 
new unit of media, and (v) indexing the user at- 
tribute data base with the user UID to extract 
the set of security attributes pertaining to the 
requesting user and passing the security at- 
tributes to security policy logic in the server; 

(d) the security policy logic accepting the media 
attributes and the requesting user's security at- 
tributes and, using a set of rules and/or under 
the direction of a system administrator, comput- 
ing a new access vector which defines limits on 
the access the requesting user will have to the 
new unit of media; 

(e) the key management crypto in the server 
also (i) generating, with the optional aid of a 
system administrator, a new media key for the 
new unit of media, and (ii) enciphering the new 
media key/access vector pair formed with the 
new media key and the new access vector with 
a combined key including the user UID, the user 
PIN and the enclave key, to form a second 
packet; 

(f) the storage search logic also storing the en- 
ciphered second packet in a crypto key data 
base stored in the server, the second packet 
indexed according to the requesting user's user 
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UID and the new media UID; 

(g) providing further logic for sending the new 
media UID and the second packet to the Work- 
station from which the first packet was re- 
ceived; and $ 

(h) providing storage search logic in the crypto 
media controller for (i) receiving the new media 
UID and writing it to an appropriate location on 
the new unit of media and (ii) storing the second 
packet containing the new media key/ access 10 
vector pair in the personal keying device at- 
tached to the Workstation using the new media 
UID as an index 

A method according to claim 2 further comprising is 
the steps of: 

(a) providing key management crypto logic in 
each crypto media controller for (i) receiving a 
requesting user's PIN from a personal keying 20 
device, (ii) receiving an encrypted user UID 
from the personal keying device and decrypting 

the user UID using the enclave key, and (iii) 
reading the media UID off an initialized unit of 
media and searching the personal keying de- 25 
vice for a media key/access vector pair for the 
initialized unit of media for the requesting user 
using the user's PIN as an index, and (iv) if no 
pair is found generating a request for a key as- 
signment; 30 

(b) the key management crypto logic in the 
workstations further (i) forming the first packet 
including the requesting user's PIN and user 
UID, the media Ui D for the initialized unit of me- 
dia, and the request for key assignment, (ii) en- 35 
crypting the first packet with the enclave key, 
and (iii) sending the packet to the security serv- 
er over the network; 

(c) providing key management crypto logic in 

the server for decrypting the first packet using 40 
the enclave key stored in the server to obtain 
the requesting user's PIN and user UID, and the 
media UID and the request; 

(d) providing storage search logic in the secu- 
rity server for (i) reading a user attribute data *s 
base stored in the server using the user UID as 

an index, (ii) returning a pass value if the re- 
questing user's PIN received in the first packet 
matches a valid PIN stored in the user attribute 
data base, (iii) aborting the request for initiali- so 
zation set forth in the first packet if the request- 
ing user's PIN is not valid, (iv) reading the user 
attribute data base using the user's PIN as an 
index and extracting the security attributes of 
the requesting user, and (v) passing the secu- ss 
rrty attributes to security policy logic in the serv- 
er; 

(e) the security policy logic receiving the secu- 



rity attributes and computing a new access vec- 
tor which defines limits on the access the user 
may have to the initialized unit of media, the 
new access vector computed using a set of 
rules and/or with the intervention of a system 
administrator; 

(f) the storage search logic also (i) finding an 
enciphered key packet in a crypto key data 
base held in the security server which has been 
previously stored and which contains the media 
key for the initialized unit of media, (ii) when a 
packet is found extracting the media key from 
it, and (iii) forming a new media key/access vec- 
tor pair with the extracted media key and the 
new access vector, and a new key packet in- 
cluding the new media key/access vector pair, 
the user UID, and the media UID, and placing 
the new key packet in the crypto key data base 
for archival purposes; 

(g) the crypto key logic also enciphering the 
new media key/access vector pair with a com- 
bined key including the user UID, the user's 
PIN, and the enclave key, and transmitting the 
enciphered packet along the network to the 
crypto media controller; and 

(h) the crypto media controller using the media 
UID as an index to store the new media key/ 
access vector pair in the personal keying de- 
vice from which the user's PIN was entered 
whereby the personal keying device contains a 
media key which can only be used by someone 
who has physical possession of that personal 
keying device, knows the user PIN associated 
with the media key, and has physical posses- 
sion of the unit of media controlled by a crypto 
media controller containing the enclave key, the 
access of the user further being restricted by 
the access vector paired with the media key. 

6. A method according to claim 2, further comprising 
the steps of: 

(a) the crypto media controller also (i) receiving 
a user PIN from a personal keying device from 
a user seeking access to an initialized unit of 
media under control of the crypto media con- 
troller; 

(b) providing storage search logic in the crypto 
media controller for (i) reading the initialized 
unit of media and extracting the media UID, (ii) 
searching the storage in the personal keying 
device and extracting the enciphered media 
key/access vector pair for the media UID and 
passing it to a key management crypto in the 
crypto media controller; 

(c) the key management crypto (i) fetching the 
user UID from the personal keying device and 
deciphering it using the enclave key, (ii) com- 
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bining the user UID, the user PIN, and the en- 
clave key to form a combined key to decrypt the 
media key/access vector pair, and passing the 
extracted media key to a data crypto and the 
access vector to the access control logic; 5 

(d) the data crypto deciphering data on a unit 
of media using the media key and passing it to 
the access control logic, the data deciphered in 
response to a read or write request for the data 

by the Workstation; 10 

(e) the access control logic controlling whether 
the desired mode of access is permitted based 
on the access vector and the device attributes 
contained within the crypto media controller, 
and aborting the attempted access to the data is 
if the access is not permitted and otherwise per- 
mitting the access whereby data is transferred 

to a Workstation for procession; and 

(f) providing logic in the crypto media controller 

for causing a complete reset of the crypto me- 20 
dia controller and requiring the keying process 
to be started from the beginning in the event 
that the personal keying device is uncoupled or 
the unit of media is removed from the Worksta- 
tion. 25 



Patentanspruche 

1. Datenenklave (20) zum Absichern von Daten, die 30 
sich auf physikalischen Einheiten, bestehend aus 
nicht entfernbaren (2) und entfernbaren (4) Medien, 
befinden, wobei die Datenenklave (20) eine Sicher- 
heitsdiensteinrichtung (Server) (24) umfa&t, die 
mittels eines Netzwerkes (1 2) mit einem Oder men- 35 
reren Arbeitsplatzrechnem (10) verbunden ist, wo- 
bei jeder Arbeitsplatzrechner (10) eine VerschlOs- 
selungs-Mediensteuereinheit (26) umfafft, die ein- 
gesetzt ist, um eine der physikalischen Medienein- 
heiten (2, 4) zu lesen, wobei die Datenenklave (20) 40 
weiterhin umfafJt: 

einen Enklavenschlussel (40), der zum Ver- 
schlusseln von Daten eingesetzt ist, die inner- 
halb der Datenenklave (20) Obertragen wer- *s 
den, wobei eine Kopie des Enklavenschlussels 
(40) in der Sicherheitsdiensteinrichtung (24) 
und in den Arbeitsplatzrechnem (10) gespei- 
chert ist; 

einen personlichen SchlOssel (30) f Or jeden Be- so 
nutzer innerhalb der Datenenklave (20); 
eine personliche identifikationsnummer (PIN) 
(50) und eine fur jeden Benutzer einmalige 
Identifizierung (Benutzer-UID) (48), die jedem 
Benutzer innerhalb der Datenenklave (20) zu- ss 
gewiesen ist, wobei jede Benutzer-UID (48) 
mittels des EnklavenschlOssels (40) verschlus- 
selt ist und in dem personlichen Schlussel (30) 



des Benutzers gespeichert ist, der zu dieser 
Benutzer-UID (48) zugehorig ist; 
eine Reihe von Benutzer-Attributen (56), die fur 
jeden Benutzer vorgesehen sind, wobei jede 
Reihe von Benutzer-Attributen (56) Benutzer- 
Privilegien und andere sicherheitsrelevante In- 
formationen darsteitt, die einem einzelnen Be- 
nutzer zuzuordnen sind und wobei jede Reihe 
von Benutzer-Attributen (56) der Benutzer-UID 
(48) des jeweiligen Benutzers zugeordnet ist; 
einen Medienschlussel (42) fur jede physikali- 
sche Einheit (2, 4) von Medien, wobei der Me- 
dienschlussel (42) eingesetzt ist, um die Daten 
zu verschlusseln und zu schOtzen, die sich auf 
den Medien befinden; 

eine f Or jedes Medium einmalige Identifizierung 
(Medien-UID) (46) f Or jede physikalische Medi- 
en-Einheit (2, 4); und 

eine Reihe von Medien-Attributen (54), die fur 
jede physikalische Medien-Einheit (2, 4) vorge- 
sehen ist, wobei jede Reihe von Medien-Attri- 
buten (54) die Sensitivitat oder andere sicher- 
heitsrelevante Information en darstellt, die Da- 
ten zuzuordnen sind, die sich auf einer einzel- 
nen Medieneinheit befinden und wobei jede 
Reihe von Medien-Attributen (54) der Medien- 
UID (46) der zugehorigen physikalischen Me- 
dieneinheit (2, 4) zugeordnet ist, dadurch ge- 
kennzeichnet, dafJ die Sicherheitsdienstein- 
richtung (24) umfafM: 

eine Sicherheitsleitlogik (86) zur Berechnung 
eines Zugangsvektors (52), der die Beschran- 
kungen eines Zu griff es des einzelnen Benut- 
zers (5) auf eine bestimmte Medieneinheit (2, 
4) definiert, wobei die Berechnung mittels der 
Reihe von Benutzer-Attributen, die einem be- 
stimmten Benutzer (5) zugeordnet sind sowie 
der Reihe von Medien-Attributen erfolgt, die ei- 
ner bestimmten Medieneinheit (2, 4) zugeord- 
net sind; und 

eine Schlusselverarbeitungs-VerschlOsse- 
lungseinrichtung (70) zum Kombinieren des 
Zugangsvektors (52) und des MedienschlOs- 
sels (42), der einer bestimmten Medieneinheit 
(2, 4) zugeordnet ist, um ein MedienschlOssel/ 
Zugangsvektor-Paar (91 ) zu erhalten sowie zur 
Verschlusselung des Medienschlussel/Zu- 
gangsvektor-Paares (91) mit einem zusam- 
mengesetzten SchlOssel, der aus dem Enkla- 
venschlOssel (40), der Benutzer-UID (48) und 
der PIN (50) des bestimmten Benutzers (5) ge- 
bildet ist; 

wobei der personliche SchlOssel (30) Mittel (78) 
zum Speichern des verschlusselten Medien- 
schlOssel/Zugangsvektor-Paares (91 ) auf- 
weist; und 

wobei die Verschlusselungs-Mediensteuerein- 
heit (26) Mittel (70, 72, 76) zur Steuerung des 
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Zugriffes auf Daten umfaBt, die sich auf der be- 
stimmten Medieneinheit (2, 4) befinden, wobei 
diese Steuerung als Funktion der PIN (50) des 
bestimmten Benutzers (5), der Medien-UID 
(46) der bestimmten physikalischen Medien- s 
einheit (2, 4) und des Medienschlussel/Zu- 
gangsvektor-Paares (91), der aus dem person- 
lichen Schlussel (30) des bestimmten Benut- 
zers (5) erhalten wird, ausgefuhrt ist. 

10 

Verfahren zur Verschlusselung von Daten in einer 
Datenenklave, wobei sich die Daten aut physikali- 
schen Einheiten, bestehend aus nicht entfernbaren 
(2) und entfernbaren (4) Medien innerhalb der Da- 
tenenklave (20), befinden, wobei die Datenenklave is 
(20) eine Sicherheitsdiensteinrichtung (Server) (24) 
umfaBt, die mittels eines Netzwerkes(12) mit einem 
Oder mehreren Arbeitsplatzrechnern (10) verbun- 
den ist, wobei jeder Arbeitsplatzrechner (10) eine 
Verschlusselungs-Mediensteuereinheit (26) urn- 20 
faBt, die eingesetzt ist, urn eine der physikalischen 
Medien einheiten (2, 4) zu lesen, wobei das Verfah- 
ren die folgenden Schritte umfaBt: 

Vorsehen eines Enklavenschlussels (40), der 25 
zum Verschlusseln von Daten eingesetzt ist, 
die innerhalb der Datenenklave (20) ubertra- 
gen werden; 

Speichern einer Kopie des Enklavenschlussels 
(40) in der Sicherheitsdiensteinrichtung (24) 30 
und in den Arbeitsplatzrechnern (10); 
Vorsehen eines personlichen Schlussels (30) 
fur jeden Benutzer innerhalb der Datenenklave 
(20); 

Zuordnen einer personlichen Identifikations- 35 
nummer (PIN) (50) und einer fur jeden Benut- 
zer einmaligen Identtfizierung (Benutzer-UID) 
(48), an jeden Benutzer innerhalb der Datenen- 
klave (20); 

Zuordnen einer Reihe von Benutzer-Attributen 40 
(56) zu jedem Benutzer, wobei jede Reihe von 
Benutzer-Attributen (56) Benutzer-Privilegien 
und andere sicherheitsrelevante Informationen 
darstellt, die einem einzelnen Benutzer zuge- 
ordnet sind; 45 
Zuordnen jeder Reihe von Benutzer-Attributen 
(56) zu der Benutzer-UID (48) des jeweiligen 
Benutzers; 

Verschlusseln jeder Benutzer-UID (48) mittels 
des Enklavenschlussels (40) und Speichern je- so 
der verschlusselten Benutzer-UID (48') in dem 
personlichen Schlussel (30) des Benutzers, der 
zu dieser Benutzer-UID (48) zugehorig ist; 
Zuordnen eines Medienschlussels (42) und ei- 
ner fur jedes Medium einmaligen Identifizie- ss 
rung (Medien-UID) (46) zu jeder physikalische 
Medieneinheit (2, 4), wobei der Medienschlus- 
sel (42) eingesetzt ist, urn die Daten zu ver- 



schlusseln und zu schutzen, die sich auf den 
Medien befinden; 

Zuordnen einer Reihe von Medien-Attributen 
(54) zu jeder physikalischen Medieneinheit (2, 
4), wobei jede Reihe von Medien-Attributen 
(54) die Sensitivitat Oder andere sicherheitsre- 
levante Informationen darstellt, die Daten zu- 
zuordnen sind, die sich auf einer bestimmten 
Medieneinheit (2, 4) befinden; und 
Zuordnen jeder Reihe von Medien-Attributen 
(54) zu der Medien-UID (46) der jeweils zuge- 
horigen physikalischen Medieneinheit (2, 4), 
gekennzeichnet durch 
das Berechnen eines Zugangsvektors (52), der 
die Beschrankungen eines Zugriffes des ein- 
zelnen, bestimmten Benutzers (5) auf eine be- 
stimmte Medieneinheit (2, 4) definiert, wobei 
die Berechnung mittels der Reihe von Benut- 
zer-Attributen, die einem bestimmten Benutzer 
(5) zugeordnet sind sowie der Reihe von Medi- 
en-Attributen erfolgt, die einer bestimmten Me- 
dieneinheit (2, 4) zugeordnet sind; 
das Kombinieren des Zugangsvektors (52) und 
des Medienschlussels (42), der einer bestimm- 
ten Medieneinheit (2, 4) zugeordnet ist, urn ein 
Medienschlussel/Zugangsvektor-Paar (91) zu 
erhalten; 

das Verschlusseln des Medienschlussel/Zu- 
gangsvektor-Paares (91) mit einem kombinier- 
ten Schlussel, der aus dem Enklavenschlussel 
(40), der Benutzer-UID (48) und der PIN (50) 
des bestimmten Benutzers (5) gebildet ist; und 
das Speichern des verschlusselten Medien- 
schlussel/Zugangsvektor-Paares (91) in dem 
personlichen Schlussel (30) des bestimmten 
Benutzers (5); und 

das Steuern des Zugriffes auf Daten, die sich 
auf der bestimmten Medieneinheit (2, 4) befin- 
den, wobei diese Steuerung als Funktion der 
PIN (50) des bestimmten Benutzers (5), der 
Medien-UID (46) der bestimmten physikali- 
schen Medieneinheit (2, 4) und des Medien- 
schlussel/Zugangsvektor-Paares (91), der aus 
dem personlichen Schlussel (30) des bestimm- 
ten Benutzers (5) erhalten wird, ausgefuhrt ist. 

3. Verfahren nach Anspruch 2, wobei das Verfahren 
daruber hinaus die folgenden Schritte aufweist: 

Vorsehen von Gerate-Attributen fur jeden Ar- 
beitsplatzrechner (10), wobei die Gerate-Attri- 
bute Sicherheitsattribute der Arbeitsplatzrech- 
ner (10) darstellen, und wobei der Schritt des 
Steuems des Zugriffes die folgenden Schritte 
umfaBt: 

Feststellen des Arbeitsplatzrechners (10), der 
von dem bestimmten Benutzer (5) benutzt wird; 
Laden der Gerate-Attribute (58), die dem Ar- 
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beitsplatzrechner (10) zugeordnetsind, dervon 
dem bestimmten Benutzer (5) benutzt wird; 
Extrahieren des Zugangsvektors (52) aus dem 
verschlusselten MedienschlGssel/Zugangs- 
vektor-Paar (91), das aus dem person lichen s 
Schlussel (30) des bestimmten Benutzers (5) 
erhaften wird; und 

Kombinieren der geladenen Gerate-Attribute 
(58) mit dem extrahierten Zugangsvektor (52), 
um die Zugrlffsrechte des bestimmten Benut- 10 
zers (5) an einem bestimmten Arbeitsplatz- 
rechner (10) festzulegen. 

Verfahren nach Anspruch 2, wobei das Verfahren 
weiterhin die folgenden Schritte umfaBt: 1$ 

(a) Vorsehen einer Schlusselverarbeitungs- 
Verschlusselungslogik in jeder Verschlusse- 
lungs-Mediensteuereinheit zum (i) Erhalten ei- 
ner anfordernden Benutzer-PIN aus dem per- so 
son lichen Schlussel, (ii) zum Erhalten einer 
verschlusselten Benutzer-UID aus dem per- 
sonlichen Schlussel und zum Entschlusseln 
der Benutzer-UID unter Einsatz des Enklaven- 
schlQssels, und (iii) zum Erzeugen eines ersten 25 
Pakets, welches die anfordernde Benutzer- 
PIN, die Benutzer-UID und eine Anweisung zur 
Ihitialisierung einer neuen Medieneinheit um- 
faGt, wobei die Anweisung die Medien-Attribute 

fur die neue Medieneinheit aufweist; 30 

(b) Vorsehen der Schlusselverarbeitungs-Ver- 
schlusselungslogik in dem Server, zur Ent- 
schlusselung des ersten Pakets unter Einsatz 
des Enklavenschlussels, der in dem Server ge- 
speichert ist; 35 

(c) Vorsehen einer Speicherdurchsuchlogik in 
dem Server, zum (i) Lesen einer Benutzer-At- 
tribut-Datenbank, die in dem Server abgespei- 
chert ist, unter Verwendung der Benutzer-UID 

als Index, (ii) zum Zuruckgeben eines Weiter- 40 
gabewertes, falls die anfordernde Benutzer- 
PIN, die mit dem ersten Paket erhalten wird, mit 
einer gultigen PIN ubereinstimmt, die in der Be- 
nutzer-Attribut-Datenbank gespeichert ist, (iii) 
zum Abbrechen der Anforderung zur Initialisie- 45 
rung, falls die anfordernde Benutzer-PIN nicht 
gultig ist, (iv) zum Extrahieren der Medien-At- 
tribute aus der Anforderung und zum Anweisen 
einer Medien-Attribut-Datenbank, die in dem 
Server abgespeichert ist, einen neuen Eintrag 50 
fOr die neue Medieneinheit vorzunehmen, so- 
wie zum Erzeugen einer neuen Medien-UID fur 
die neue Medieneinheit, und (v) zum Indizieren 
der Benutzer-Attribut-Datenbank mittels der 
Benutzer-UID, um die Reihe von Sicherheits- ss 
Attributen zu extrahieren, die dem anfordern- 
den Benutzer zuzuordnen sind sowie zur Wei- 
tergabe der Sicherherts-Attribute zu der Sicher- 



heitsleitlogik in dem Server, 

(d) wobei die Sicherheitsleitlogik, die die Medi- 
en-Attribute und die Sicherheits-Attribute des 
anfordernden Benutzers empfangt sowie einen 
Satz von Regeln verwendet und/oder unter der 
Leitung eines Systemverwa Iters arbeitet, einen 
neuen Zugangsvektor errechnet, der die Be- 
schrankungen beim Zu griff des anfordernden 
Benutzers festlegt, die dieser auf die neue Me- 
dieneinheit hat; 

(e) wobei die Schlusselverarbeitungs-Ver- 
schlusselungslogik in dem Server ebenso (i) ei- 
nen neuen Medienschlussel, eventuell mit Hilfe 
eines Systemverwalters, fur die neue Medien- 
einheit erzeugt, und (ii) das neue Medien- 
schlussel/Zugangsvektor-Paar verschlusselt, 
welches mit dem neuen Medienschlussel und 
dem neuen Zugangsvektor mittels eines kom- 
binierten Schlussels erzeugt ist, der die Benut- 
zer-UID, die Benutzer-PIN und den Enklaven- 
schlussel umfaOt, um ein zweites Paket zu er- 
zeugen; 

(f) wobei die Speicherdurchsuchlogik ebenso 
das verschlusselte zweite Paket in einer Ver- 
schlusselungs-Schlussel-Datenbank spei- 
chert, die in dem Serve abgespeichert ist, wo- 
bei das zweite Paket in Ubereinstimmung mit 
der Benutzer-UID des anfordernden Benutzers 
und der neuen Medien-UID indiziert ist; 

(g) wobei weiterhin eine Logik vorgesehen ist, 
um die neue Medien-UID und das zweite Paket 
zu dem Arbeitsplatz rechner zu schicken, von 
dem das erste Paket erhalten worden ist; und 

(h) wobei eine Speicherdurchsuchlogik in der 
Verschlusselungs-Mediensteuereinheit vorge- 
sehen ist, um (i) die neue Medien-UID zu emp- 
fangen und um diese an einer geeigneten Po- 
sition auf die neue Medieneinheit zu schreiben, 
sowie (ii) zum Abspeichern des zweiten Pa- 
kets, welches das neue Medienschlussel/Zu- 
gangsvektor-Paar enthalt, in dem personlichen 
Schlussel, der an dem Arbeitsplatz rechner an- 
gebracht ist, indem die neue Medien-UID als 
etn Index verwendet wird. 

5. Verfahren nach Anspruch 2, weiterhin mit den 
Schritten: 

(a) Vorsehen einer SchlOssetverarbeitungs- 
Verschlusselungslogik in jeder Verschlusse- 
lungs-Mediensteuereinheit zum (i) Erhalten ei- 
ner anfordernden Benutzer-PIN aus dem per- 
sonlichen Schlussel, (ii) zum Erhalten einer 
verschlusselten Benutzer-UID aus dem per- 
sonlichen Schlussel und zum Entschlusseln 
der Benutzer-UID unter Einsatz des Enklaven- 
schlussels, und (iii) zum Lesen der Medien-UID 
aus einer initialisierten Medieneinheit und zum 
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Durchsuchen des personlichen Schlussels 
nach einem Medienschlussel/Zugangsvektor- 
Paar fur die initialisierte Medieneinheit des an- 
fordernden Benutzers, indemdie Benutzer-PIN 
als ein Index eingesetzt wird, und (iv), falls kein s 
Paar gefunden wird, zur Erzeugung einer An- 
forderung fur eine Zuordnung eines Schlus- 
sels; 

(b) wobei die Schlusselverarbeitungs-Ver- 
schlusselungslogik in den Arbeitsplatzrech- to 
nern weiterhin (i) ein erstes Paket erzeugt, wel- 
ches die anfordernde Benutzer-PIN und die Be- 
nutzer-UID, die Medien-UID zur Initialisierung 
der Medien-einheit, und eine Anweisung zur 
Zuordnung eines Schlussels umfaBt, sowie (ii) T5 
zur Verschlusselung des ersten Pakets mittels 
des Enklavenschlussels eingesetzt ist, und (iii) 
zum Versenden des Pakets zu dem Sicher- 
heits-Server, Ober das Netzwerk, dient; 

(c) Vorsehen der Schlusselverarbeitungs-Ver- 20 
schlusselungslogik in dem Server, zur Ent- 
schlusselung des ersten Pakets unter Einsatz 
des Enklavenschlussels, der in dem Server ge- 
speichert ist, urn die anfordernde Benutzer-PIN 
und Benutzer-UID, die Medien-UID und die An- 25 
forderung zu erhalten; 

(d) Vorsehen einer Speicherdurchsuchlogik in 
dem Sicherheits-Server, zum (i) Lesen einer 
Benutzer-Attribut-Datenbank, die in dem Ser- 
ver abgespeichert ist, unter Verwendung der 30 
Benutzer-UID als Index, (ii) zum Zuruckgeben 
eines Weitergabewertes, falls die angeforderte 
Benutzer-PIN, die mit dem ersten Paket erhal- 
ten wird, mit einer gultigen PIN Gbereinstimmt, 

die in der Benutzer-Attribut-Datenbank gespei- 35 
chert ist, (iii) zum Abbrechen der Anforderung 
zur Initialisierung, die in dem ersten Paket ent- 
halten ist, falls die anfordernde Benutzer-PIN 
nicht gultig ist, (iv) Auslesen der Benutzer-At- 
tribute-Datenbank, unter Verwendung der Be- *o 
nutzer-PIN als Index und Extrahieren der Si- 6. 
cherheits- Attribute des anfordernden Benut- 
zers, und (v) Weitergabe der Sicherheits-Attri- 
bute zu der Sicherheitsleitlogik in dem Server; 

(e) wobei die Sicherheitsleitlogik, die die Si- 45 
cherheits-Attribute empfangt und die einen 
neuen Zugangsvektor errechnet, der die Be- 
schrankungen beim Zugriff des anfordernden 
Benutzers festlegt, die dieser auf die neue Me- 
dieneinheit hat, den neuen Zugangsvektor er- so 
rechnet, indem eine Reihe von Regeln verwen- 
det wird und/oder unter Etngriff eines System- 
verwalters erfolgt; 

(f) wobei die Speicherdurchsuchlogik ebenso 

(i) ein verschlusseltes Schlusselpaket in einer ss 
Verschlusselungs-Schlussel-Datenbank fin- 
ds t, die in dem Sicherheits-Server vorhanden 
ist, und die vomer abgespeichert worden ist 



und die den Medienschlussel fur die initialisier- 
te Medieneinheit enthalt, und (ii), falls ein Paket 
gefunden ist, daraus den Medienschlussel ex- 
trahiert, und (iii) ein neues Medienschlussel/ 
Zugangsvektor-Paar erzeugt, namlich mittels 
des extrahierten Medienschlussels und des 
neuen Zugangsvektors, sowie ein neues 
Schlusselpaket erzeugt, welches das neue Me- 
dienschlussel/Zugangsvektor-Paar, die Benut- 
zer-UID und die Medien-UID umfaBt sowie sie 
das neue Schlusselpaket in der Verschlusse- 
lungs-Schlussel-Datenbank zu Zwecken einer 
Archivierung ablegt; 

(g) wobei die Verschlusselungslogik ebenso 
das neue Medienschlussel/Zugangsvektor- 
Paar mit einem kombinierten Schlussel ver- 
schlusselt, der die Benutzer-UID, die Benutzer- 
PIN und den Enklavenschlussel umfaBt, sowie 
sie das verschlusselte Paket uber das Netz- 
werk zu der Verschlusselungs-Mediensteuer- 
einheit versendet; und 

(h) wobei die Verschlusselungs-Mediensteuer- 
einheit, die die Medien-UID als Index verwen- 
det, um das neue Medienschlussel/Zugangs- 
vektor-Paar in dem personlichen Schlussel zu 
speichern, von dem die Benutzer-PiN eingege- 
ben worden ist, wobei der person liche Schlus- 
sel einen Medienschlussel enthalt, der nur von 
einer Person eingesetzt werden kann, die in tat- 
sachlichem Besitz des personlichen Schlus- 
sels ist, die Benutzer-PIN kennt, die dem Me- 
dienschlussel zugeordnet ist, und wobei die 
Person die Medieneinheit tatsachlich besitzt, 
die durch eine Verschlusselungs-Mediensteu- 
ereinheit gesteuert ist, die den Enklavenschlus- 
sel enthalt, wobei der Zugriff des Benutzers 
weiter eingeschrankt wird, namlich durch eine 
Kombination des Zugangsvektors und des Me- 
dienschlussels. 

Verfahren nach Anspruch 2, weiterhin mit den 
Schritten: 

(a) Empfangen einer Benutzer-PIN durch die 
Verschlusselungs-Mediensteuereinheit, von 
einem personlichen Schlussel eines Benut- 
zers, der den Zugang zu einem initialisierten 
Medium sucht, und zwar unter der Kontrolle der 
Verschtusselungs-Mediensteuereinhett; 

(b) Vorsehen einer Speicherdurchsuchlogik in 
der Verschlusselungs-Mediensteuereinheit, 
zum (i) Lesen des initialisierten Mediums und 
zum Extrahieren der Medien-UID, (ii) zum 
Durchsuchen des Speichers in dem personli- 
chen Schlussel und zum Extrahieren des ver- 
schlusselten Medienschlussel/Zugangsvektor- 
Paares der Medien-UID und zum Weitergeben 
an eine Schlusselverarbeitungs-Verschlusse- 
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lungseinrichtung in der Verschlusselungs-Me- 
diensteuereinheit; 

(c) wobei die Sch!usselverarbeitungs-Ver- 
schlusselungseinrichtung (i) die Benutzer-UID 
dem personlichen Schlussel entnimmt und die- s 
sen entschlusselt, indem sie den Enklaven- 
schlussel verwendet, (ii) die Benutzer-UID, die 
Benutzer-PIN und den Enklavenschlussel 
kombiniert, urn einen zusammengesetzten 
Schlussel zu bilden, urn das MedienschtQssel/ 10 
Zugangsvektor-Paar zu entschlusseln, sowie 

um den extrahierten Medienschlussel an die 
Datenverschlusselungseinrichtung zurOck zu 
geben und den Zugangsvektor an die Zu griff s- 
steuerlogik weiterzugeben; is 

(d) wobei die Datenverschlusselungseinrich- 
tung die Daten auf einer Medieneinheit ent- 
schlusselt, indem sie den Medienschlussel ein- 
setzt und an die Zugriffssteuerlogik weitergibt, 
wobei die Daten entschlusselt werden, und 20 
zwar in Antwort auf eine Lese- Oder Schreiban- 
weisung der Daten durch den Arbeitsplatzrech- 
ner; 

(e) wobei die Zugriffssteuerlogik kontrolliert, ob 
der erwunschte Modus des Zugriffes erlaubt ist, 2s 
basierend auf dem Zugangsvektor und den Ge- 
rate-Attributen. die in der Verschlusselungs- 
Mediensteuereinheit enthalten sind, und wobei 

die Logik den Versuch des Zugriffs auf die Da- 
ten abbricht, falls der Zugriff nicht autorisiert ist 30 
und andernfalls den Zugriff ermoglicht, wo- 
durch die Daten auf den Arbeitsplatzrechner 
ubertragen werden, um dort weiter verarbeitet 
zu werden; und 

(f) wobei eine Logik in der Verschlusse lungs- 35 
Mediensteuereinheit vorgesehen ist, um ein 
vollstandiges Zurucksetzen der Verschlusse- 
lungs-Mediensteuereinheit zu bewirken, wo- 
durch es erforderlich ist, das die Schlusselver- 
arbeitung von vorne beginnt, falls der person li- 40 
che Schlussel entfernt wird oder falls die Medi- 
eneinheit aus dem Arbeitsplatzrechner entfernt 
wird. 

45 

Revendications 

1. Enclave de donn6es (20) pour securiser des don- 
nees portees sur des unites physiques de supports 
fixes (2) et amovibles (4), I'enclave de donnSes (20) so 
comprenant un serveur de s6curit6 (24) connects, 
via un reseau (12), a un ou plusieurs postes de tra- 
vail (10), enclave dans laquelle chaque poste de 
travail (10) comprend un contr6leur de support 
cryptographique (26) utilise" pour lire Tune desdites ss 
unites physiques de supports (2, 4), I'enclave de 
donn6es comprenant en outre : 



une cle d'enclave (40) utilisee pour coder des 
donnees transmises a i'intdrieur de I'enclave de 
donnees (20), une copie de la cle d'enclave 
(40) 6tant stockee dans le serveur de securite 
(24) et dans les postes de travail (10), 
un dispositif de saisie personnel (30) pour cha- 
que utilisateur de I'enclave de donnees (20), 
un num6ro ^identification personnel (PIN) (50) 
et un identificateur unique d'utilisateur (UID 
d'utilisateur) (48) affectes a chaque utilisateur 
de I'enclave (20), chaque UID d'utilisateur (48) 
etant code avec la cle d'enclave et stocke dans 
le dispositif de saisie personnel (30) de I'utilisa- 
teur associe a I'UID d'utilisateur, 
un ensemble d'attributs d'utilisateur (56) prevu 
pour chaque utilisateur, chaque ensemble d'at- 
tributs d'utilisateur (56) reprSsentant des privi- 
leges d'utilisateur et d'autres informations con- 
cemant la securite a propos d'un utilisateur par- 
ticulier et chaque ensemble d'attributs d'utilisa- 
teur (56) etant associ6 a I'UID d'utilisateur (48) 
de son utilisateur respectif, 
une cle de support (42) pour chaque unite de 
support physique (2, 4), la cle de support (42) 
etant utilisee pour coder et proteger les don- 
nees portees sur le support, 
un identificateur unique de support (UID de 
support) (46) pour chaque unit6 physique de 
support (2, 4), et 

un ensemble d'attributs de support (54) prevu 
pour chaque unite physique de support (2, 4), 
chaque ensemble d'attributs de support (54) re- 
p repentant une sensibilite ou d'autres informa- 
tions concernant la securite a propos des don- 
nees portees sur une unite part icu lie re de sup- 
port et chaque ensemble d'attributs de support 
(54) etant associe a I'UID de support (46) de 
son unite physique respective de support (2, 4), 
caracterisee en ce que : 

le serveur de securite (24) comprend : 

une logique de police de security (86) pour 
calcuter a parti r de I'ensemble d'attributs 
d'utilisateur affecte a un utilisateur particu- 
lier (5) et de I'ensemble d'attributs de sup- 
port affectes a une unit 6 de support parti- 
culiere (2, 4), un vecteur d'acces (52) qui 
defintt des limites a Tacces par Tutilisateur 
particulier (5) a I'unite part icu He re de sup- 
port (2, 4), et 

un systems cryptographique de gestion de 
cles (70) pour combiner le vecteur d'acces 
(52) et la cle de support (42) affectee a 
I'unite particuliere de support (2, 4) pour 
former une paire de cles de support/vec- 
teur d'acces (91 ) et pour chiffrer la paire de 
cles de support/vecteur d'acces (91 ) avec 
une cle comb i nee formed de la cle d'encla- 
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ve (40) et de I'UID d'utilisateur (48) et du 
PIN (50) de I'utilisateur particulier (5), 
le dispositif de saisie personnel (30) com- 
prenant des moyens (78) pour stocker la 
paire chiffrSe de cISs de support/vecteur s 
d'acces (91), et 

le contrdleur de support cryptographique 
(26) comprenant des moyens (70, 72, 76) 
pour controler I'acces a des donnSes sur 
I'unitS particuliere de support (2, 4) en tone- 10 
tion du PIN (50) de I'utilisateur particulier 
(5), de I'UID de support (46) de I'unitS phy- 
sique particuliere de support (2, 4) et de !a 
paire de cISs de support/vecteur d'acces 
(91) retrouvSe dans le dispositif de saisie is 
personnel (30) de I'utilisateur particulier 
(5). 

ProcSdS a enclave de donnSes pour sScuriser des 
donnSes portSes sur des unites physiques de sup- 20 
port fixes (2) et amovibles (4) dans une enclave de 
donnSes (20) comprenant un serveur de sScuritS 
(24) connects via un rSseau (12), a un ou plusieurs 
postes de travail (10), chaque poste de travail (10) 
comprenant un contrdleur de support cryptograph i- 2s 
que (26) utilise pour lire une desdites unites physi- 
ques de support (2, 4), ledit precede* comprenant 
les Stapes suivantes : 

on met en oeuvre une cIS d'enclave (40) utilised 30 
pour coder des donnees transmises a I'interieur 
de ('enclave de donnees (20), 
on stocke une copie de la cIS d'enclave (40) 
dans le serveur de sScuritS (24) etdans les pos- 
tes de travail (10), 35 
on utilise un dispositif de saisie personnel (30) 
pour chaque utilisateur dans I'enclave de don- 
nSes (20), 

on affecte un numSro ^identification personnel 
(PIN) (50) et un identificateur unique d'utilisa- 40 
teur (UID d'utilisateur) (48) pour chaque utilisa- 
teur dans I'enctave (20), 
on affecte un ensemble d'attributs d'utilisateur 
(56) pour chaque utilisateur, chaque ensemble 
d'attributs d'utilisateur (56) reprSsentant des 45 
privileges de I'utilisateur et d'autres informa- 
tions concernant la security a propos d'un utili- 
sateur particulier, 

on associe chaque ensemble d'attributs d'utili- 
sateur (56) a I'UID d'utilisateur (48) de son uti- so 
lisateur respectif, 

on code chaque UID d'utilisateur (48) avec la 
cle d'enclave et on stocke chaque UID d'utilisa- 
teur codS (48') dans le dispositif de saisie per- 
sonnel (30) de I'utilisateur associS a I'UID d'uti- ss 
lisateur (48), 

on affecte une cle de support (42) et un identi- 
ficateur unique de support (UID de support) 



(46) a chaque units physique de support (2, 4), 
la cIS de support (42) Stant utilised pour coder 
et proteger les donnSes portSes sur le support, 
on affecte un ensemble d'attributs de support 
(54) pour chaque units physique de support (2, 
4), chaque ensemble d'attributs de support (54) 
reprSsentant une sens ibil its ou d'autres infor- 
mations concernant la s ecu rite a propos des 
donnees portSes sur une units particuliere de 
support, et 

on associe chaque ensemble d'attributs de 
support (54) a I'UID de support (48) de son uni- 
ts physique respective de support (2, 4), carac- 
tSrisS en ce que : 

on calcule, a partir de I'ensemble d'attributs 
d'utilisateur affects a un utilisateur particulier 
(5) et de I'ensemble d'attributs de support af- 
fects a une units particuliere de support (2, 4), 
un vecteur d'acces (52) qui dSfinit des limites a 
I'acces par i'utilisateur particulier (5) a I'unite 
particuliere de support (2, 4), 
on combine le vecteur d'acces (52) et la cIS de 
support (42) affectSe a I'unitS particuliere de 
support (2, 4) pour former une paire de cISs de 
support/vecteur d'acces (91), 
on chiffre la paire de cISs de support/vecteur 
d'accSs (91 ) avec une cIS combinSe formSe de 
la cIS d'enclave (40)etde I'UID d'utilisateur (48) 
et du PIN (50) de I'utilisateur particulier (5), et 
on stocke la paire chiffrSe de cISs de support/ 
vecteur d'acces (91 ) dans le dispositif de saisie 
personnel (30) de I'utilisateur particulier (5), et 
on control e I'accSs aux donnSes sur I'unitS par- 
ticuliere de support (2, 4) en fonction du PIN 
(50) de I'utilisateur particulier (5), de I'UID de 
support (46) de I'unitS physique particuliere de 
support (2, 4) et de la paire de cISs de support/ 
vecteur d'acces (91 ) retrouvSe dans le disposi- 
tif de saisie personnel (30) de I'utilisateur par- 
ticulier (5). 

3. ProcSdS selon la revendication 2, dans lequel le 
procSdS comprend en outre la mise en oeuvre d'at- 
tributs de dispositif pour chaque poste de travail 
(10), les attributs de dispositif reprSsentant des at- 
tributs desScuritS des postes de travail (10), etdans 
lequel I'Stape de commande d'acces comprend les 
Stapes suivantes : 

on dStermine ie poste de travail (10) utilisS par 
I'utilisateur particulier (5), 
on recherche les attributs de dispositif (58) as- 
socies au poste de travail (10) utilisS par I'utili- 
sateur particulier (5), 

on extra it le vecteur d'acces (52) de la paire co- 
dSe de cISs de support/vecteur d'acces (91 ) re- 
trouvSe dans le dispositif de saisie personnel 
(30) de I'utilisateur particulier (5), et 
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on combine les attributs de dispositif retrouves 
(58) avec le vecteur d'acces extratt (52) pour 
determiner tes droits d'acces par i'utilisateur 
particutier (5) au poste de travail particulier 
(10). s 

Precede selon la revendication 2, dans lequel le 
precede comprend en outre les etapes suivantes : 

(a) on met en oeuvre une logique cryptograph!- 10 
que de gestion de cles dans chaque contrdleur 

de support cry ptographique (i) pour recevoir un 
PIN d'utilisateur demandeur d'un dispositif de 
saisie personnel, (ii) pour recevoir un UID d'uti- 
lisateur code du dispositif de saisie personnel is 
et decoder I'UID d'utilisateur en utilisant la cle 
d 'enclave, et (iii) pour former un premier paquet 
comprenant le PIN de I'utilisateur demandeur, 
I'UID d'utilisateur et une demande d'initialisa- 
tion d'une nouvelle unite de support, la deman- 20 
de comprenant les attributs de support pour la 
nouvelle unite" de support, 

(b) on met en oeuvre une logique cry ptographi- 
que de gestion de cles dans le serve ur pour de- 
coder le premier paquet en utilisant la cle d'en- 2s 
clave stockee dans le serveur, 

(c) on met en oeuvre une logique de recherche 
de stockage dans le serveur (i) pour lire une 
base de donnees d'attributs d'utilisateur dans 

le serveur en utilisant I'UID d'utilisateur a titre 30 
d'index, (ii) pour renvoyer une valeur de valida- 
tion si le PIN de I'utilisateur demandeur recu 
dans !e premier paquet correspond a un PIN 
valide stocke dans la base de donnees d'attri- 
buts d'utilisateur, (iii) pour avoher ta demande 35 
d'initialisation si le PIN de I'utilisateur deman- 
deur n'est pas valide, (iv) pour extra ire les at- 
tributs de support de la demande et comman- 
der a une base de donnees d'attributs de sup- 
port stockee dans le serveur d'effectuer une en- 40 
tree pour la nouvelle unite de support et de 
creer un nouvel UID de support pour la nouvelle 
unite de support, et (v) pour indexer la base de 
donnees d'attributs d'utilisateur avec I'UI D d'uti- 
lisateur afin d'extraire la s6rie d'attributs de se- 
curite appartenant a I'utilisateur demandeur et 
pour f aire passer les attributs de securite a une 
logique de police de securite dans le serveur, 

(d) la logique de police de securite acceptant 

les attributs de support et les attributs de secu- 50 
rite de I'utilisateur demandeur et, en utilisant 
une s6rie de regies et/ou sous la direction d'un 
admin istrateur du systeme, on calcule un nou- 
veau vecteur d'acces qui definit des limites a 
I'acces que I'utilisateur demandeur aura sur la 55 
nouvelle unite de support, 

(e) le circuit logique cryptographique de gestion 
de cles dans le serveur (i) gene rant ggalement, 



avec ('aide facultative de i'administrateur du 
systeme, une nouvelle cle de support pour la 
nouvelle unite de support et (ii) chiffrant la nou- 
velle paire de cl£s de supponTvecteur d'acces 
formee avec la nouvelle cl6 de support et le 
nouveau vecteur d'acces avec une cle combi- 
ner comprenant I'UID d'utilisateur, le PIN d'uti- 
lisateur et la cle d'enclave, pour former un 
deuxieme paquet, 

(f) la logique de recherche, de stockage stoc- 
kant egalement le deuxieme paquet chirfre 
dans une base de donnees de cles cryptogra- 
ph iques stockee dans le serveur, le deuxieme 
paquet indexe selon I'UID d'utilisateur de I'utili- 
sateur demandeur et le nouveau UID de sup- 
port, 

(g) on met en oeuvre une autre logique pour 
envoyer le nouvel UID de support et le deuxie- 
me paquet au poste de travail d'ou le premier 
paquet a ete recu, et 

(h) on met en oeuvre une logique de recherche 
de stockage dans le contrdleur de support cryp- 
tographique (i) pour recevoir le nouvel UID de 
support et le transcrire dans un emplacement 
ap prop ne* sur la nouvelle unite de support et (ii) 
pour stocker le deuxieme paquet comprenant 
la nouvelle paire de cles de supponTvecteur 
d'acces dans le dispositif de saisie personnel 
lie au poste de travail en utilisant le nouvel UID 
de support comme index. 

5. Precede selon la revendication 2, comprenant en 
outre les Stapes suivantes : 

(a) on met en oeuvre une logique cryptographi- 
que de gestion de cles dans chaque contrdleur 
de support cryptographique (i) pour recevoir un 
PIN de i'utilisateur demandeur d'un dispositif de 
saisie personnel, (ii) pour recevoir un UID d'uti- 
lisateur code" du dispositif de saisie personnel 
et decoder I'UID d'utilisateur en utilisant la cle 
d'enclave et (iii) pour lire I'UID de support sur 
Tunite de support initialisee et rechercher sur le 
dispositif de saisie personnel une paire de cl6s 
de support/vecteur d'acces pour I'unite de sup- 
port initialisee pour I'utilisateur demandeur en 
utilisant le PIN d'utilisateur comme index, et (iv) 
si aucune paire n'est trouv£e, pour gen6rer une 
demande d'affectation de cle, 

(b) la logique cryptographique de gestion de 
cles dans les postes de travail formant en outre 

(i) le premier paquet comprenant le PIN de I'uti- 
lisateur demandeur et I'UID d'utilisateur, I'UID 
de support pour I'unite de support initialisee et 
la demande d'affectation de cle, (ii) codant le 
premier paquet avec la cle d'enclave et (iii) en- 
voyant le paquet au serveur de securite via le 
reseau, 
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(c) on met en oeuvre une logique cryptograph i- 
que de gestion de cles dans le serveur pour de- 
coder le premier paquet en utilisant la cl6 d'en- 
clave stockSe dans le serveur afin d'obtenir le 
PIN de I'utilisateur demandeur, et I'UID d'utili- s 
sateur, I'UID de support et la demands, 

(d) on met en oeuvre une logique de recherche 
de stockage dans le serveur de securite (i) pour 
lire une base de donnees d'attributs d'utilisa- 
teur stockee dans le serveur en utilisant I'UID io 
d'utilisateur comme index, (ii) pour renvoyer 
une valeur de validation si le PIN de I'utilisateur 
demandeur recu dans le premier paquet cor- 
respond a un PIN valide stocke* dans la base 

de donnees d'attributs d'utilisateur, (Hi) pour is 
avorter la demande d'in realisation etablie dans 
le premier paquet si le PIN de I'utilisateur de- 
mandeur n'est pas valide, (iv) pour lire la base 
de donnees d'attributs d'utilisateur en utilisant 
le PIN d'utilisateur comme index et extraire les 20 
attributs de securite de I'utilisateur demandeur, 
et (v) pour faire passer les attributs de securite 
a la logique de police de securite dans le ser- 
veur, 

(e) la logique de police de securite recevant les 25 
attributs de sdcurite et calculant un nouveau 
vecteur d'acces qui definit des limites a I'acces 
que I'utilisateur peut avoir sur ('unite de support 
initialised, le nouveau vecteur d'acces calcule 
utilisant une serie de regies et/ou avec I'inter- 30 
vention d'un administrateur du systeme, 

(f ) la logique de recherche de stockage definis- 
sant egalement (i) un paquet de cl6 chiff re dans 
une base de donnees de cl6s cryptographiques 
conserves dans le serveur de sdcurite, qui a 35 
6te precedemment stocks et qui contient la cle 

de support pour I'unite de support initialisee, (ii) 
lorsqu'un paquet est trouve, extrayant la cle de 
support de celui-ci, et (iii) formant une nouvelle 
paire de cles de support/vecteur d'acces avec 40 
la cle de support extraite et le nouveau vecteur 
d'acces, et un nouveau paquet de cle compre- 
nant la nouvelle paire de cles de support/vec- 
teur d'acces, I'UID d'utilisateur et I'UID de sup- 
port, et en placant le nouveau paquet de cle 45 
dans la base de donnSes de cl6s cryptographi- 
ques a des fins d'archivage, 

(g) la logique de cles cryptographiques chiff rant 
egalement la nouvelle paire de cles de support/ 
vecteur d'acces avec une cie combined en uti- so 
lisant I'UID d'utilisateur, le PIN d'utilisateur et la 

cl6 d'enclave, et en transmettant le paquet chif- 
f r6 par le r6seau au contrdleur de support cryp- 
tographique, et 

(h) le contrdleur de support cryptograph ique ss 
utilisant I'UID de support comme index pour 
stocker la nouvelle paire de cles de support/ 
vecteur d'acces dans le dispositif de saisie per- 



sonnel a partir duquel le PIN d'utilisateur a 6t6 
entre, de telle sorte que le dispositif de saisie 
personnel contienne une cle de support qui ne 
peut etre utiiisee que par quelqu'un qui est en 
possession physique de ce dispositif de saisie 
personnel, connait le PIN d'utilisateur associe 
a la cle de support et est en possession physi- 
que de I'unite de support commandde par le 
contrdleur de support cryptographique conte- 
nant la cle d'enclave, I'acces de I'utilisateur 
etant en outre restreint par le vecteur d'acces 
jume'6 a la cl6 de support. 

Precede selon la revendication 2, comprenant en 
outre les stapes suivantes : 

(a) le contrdleur de support cryptographique (i) 
recevant egalement un PIN d'utilisateur d'un 
dispositif de saisie personnel d'un utilisateur 
cherchant un acces a une unite de support ini- 
tialisee sous le contrdle du contrdleur de sup- 
port cryptographique, 

(b) on met en oeuvre le circuit logique de re- 
cherche de stockage dans le contrdleur de sup- 
port cryptographique (i) pour lire I'unite de sup- 
port initialisee et extraire I'UID de support, (ii) 
pour rechercher le stockage dans le dispositif 
de saisie personnel et extraire la paire chiffree 
de cles de support/vecteur d'acces pour I'UID 
de support et renvoyer a un systeme cryptogra- 
phique de gestion de cles dans ie contrdleur de 
support cryptographique, 

(c) le systeme cryptographique de gestion de 
cles (i) recherchant I'UID d'utilisateur dans le 
dispositif de saisie personnel et le d6chiffrant 
en utilisant la cle* d'enclave, (ii) combinant I'UID 
d'utilisateur, le PIN d'utilisateur et la cle d'en- 
clave pour former une cle combinee afin de de- 
coder la paire de cles de support/vecteur d'ac- 
ces, et faisant passer la cle de support extraite 
a un systeme cryptographique de donnees et 
le vecteur d'acces a la logique de commande 
d'acc&s, 

(d) le systeme cryptographique de donnees de- 
chiffrant les donnees d'une unite de support en 
utilisant la cle de support et faisant passer dans 
la logique de commande d'acces les donnees 
dechiff rees en r6ponse a une demande de lec- 
ture ou d'ecriture des donnees par le poste de 
travail, 

(e) la logique de commande d'acces contrdlant 
si le mode souhaite d'acces est autorise sur la 
base du vecteur d'acces et des attributs de dis- 
positif contenus dans le contrdleur de support 
cryptographique et avortant la tentative d'acces 
aux donnees si I'acces n'est pas autorise et per- 
mettant autrement I'acces de telle sorte que les 
donnees soient transferees a un poste de tra- 
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vait pour traitement, et 

(f) on met en oeuvre une logique dans le con- 
trol eur de support cryptograph ique pour provo- 
quer une remise a zero complete du contrdleur 
de support cryptographique et on recommence 5 
le processus de saisie depuis le d6but dans le 
cas ou le dispositif de saisie personnel est d6- 
saccoupl6 ou que I'unit6 de support est retiree 
du poste de travail. 
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